lanman pwd hash (Re: [SCM] Samba Shared Repository - branch master updated)

Matthias Dieter Wallnöfer mdw at samba.org
Wed Jun 23 01:08:21 MDT 2010


Hi metze,

I reject it when the lanman auth is deactivated. But otherwise it should 
be enabled (think at "dcesrv_samr_ChangeOemPassword2" which manipulates 
only the lanman hash - tested using the passwords torture test). 
Therefore it should also be valid to have only a "dBCSPwd" attribute in 
the DB (I read also the MS-SAMR documentation and this seems possible). 
But this patch prevents a change which would delete all password 
attributes - which is fatal.

This work is still not complete since there are some outstanding 
differences in beaviour s4 <-> torture SAMR passwords.

Matthias

Stefan (metze) Metzmacher wrote:
> Hi Matthias,
>
>    
>> commit 0e637be43b584aef9f5101d15ae5bdc1172c5502
>> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
>> Date:   Mon Jun 21 19:40:50 2010 +0200
>>
>>      s4:password_hash LDB module - fix another problem regarding the lanman hash
>>
>>      When a user only provides only the lanman hash (and nothing else) and the
>>      lanman authentication is deactivated then we end in an account with no
>>      password attribute at all! Lock this down.
>>      
> I think the correct behavior is to reject the password change in that case.
>
> metze
>
>    



More information about the samba-cvs mailing list