Password change code

Andrew Bartlett abartlet at
Sun Jul 14 19:08:01 GMT 2002

Patrick McCarty wrote:
> Hey again,
> I'm just starting to make sense of all this fun password change code.

Hmm, its still a bit more complex than that.

> I've started writing a function which I intended to be a master
> function, but I see now that it really more of a super
> pdb_set_plaintext_password, with a little extra something.

Well, you can't change that function - becouse it is used by other
code.  But you can write another (better) wrapper.
> >From what I can tell, it seems that the sequence of password changes,
> while sometimes skipping a step, goes like this:
>   pass_oem_change -> change_oem_password ->
>       check_oem_password -> pdb_set_plaintext_password
> Ideally, (if this diagram is somewhat correct), I'd like to write
> something that merges all those steps into something a bit more logical.
> How far off base am I?

Well, the LM password change code doesn't set the plaintext, the two
'main' password change mechisms are as described.  The SAMR calls wraps
the lanman.c RAP call.  That is, they both take a 'blob' containing the
obscured old and new passwords (in a sort of challange-response kind of
format).  These get authenticated by the check_oem_password() code,
which returns the new, plaintext password.

The oddball call is api_SetUserPassword() in lanman.c, which can get
either a plaintext old and new password (win98, authenticated via the
normal code paths) or a LM hash only.

> Oh, and Andrew, thanks for putting up with my constant pestering and
> questions =)

Looking at the code:

Firstly, when I say that the incoming password is an LM hash, it means
that it is already hashed.

Also, if you change only the LM hash, you should invalidate (set to
NULL) the NT hash.

If the password is too short, return NT_STATUS_PASSWORD_RESTRICTION, or
whatever NT returns for that error.  This ensures we get the right error
message on the client.

Finally, put the 'unix password sync' code inside this function, but
don't call it for machine accounts.  

Do this bit inside its own 'wrapper' function, that the RPC-based
adminstrative password changes can also use.

We should test if machines are premitted to change their password this
way at all.  (They *should* make a netlogon call).

Did I mention this code is complex?

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list