NT Password Change Behavior

[abartlet at samba.org]

On Tue, Mar 19, 2002 at 04:14:53PM -0600, Matt Pavlovich wrote:
> Jeremy-
> 
> My goal is to write a quick and dirty patch to OpenLDAP to sync
> passwords across all the password fields of a user.  This could also be
> done easily with Netscape/iPlanet's pre-op plugin mechanism.
> 
> Let me see if I have this correctly.. 
> 
> 1) There are multiple 'update password' methods
> 2) One passes the clear password to the PC
> 3) Another method passes the LM of the new password to the PDC
> 4) The last sends plaintext encrypted by hash (LM Hash?) of old password
> 
> So.. it is this correct:
> 1) The PDC will *not* always have access to the clear text of the
> password being changed.  
> 2) There is no way to force all clients (9x,NT,2k,XP) to behave in the
> same way (pass PDC clear text of new password)

The holdouts are cleints <= Win95.  I know Win98 will send the cleartext 
(encrypted with the old hash).  The reason for this is that MS implements 
(or allows others to implement) 'password filters' which are mainly to
ensure password quality.  These need the plaintext at the server.  The other
thing they need this for is when Win9X changes a password, it needs sombody to 
make the NT hash (the client doen't do NT in this case)

> This is really ugly.  This means that it is impossible to implement a
> password synchronization service/function on the directory of a LDAP
> backed Samba PDC, to synchronize b/w NT/LM hashes, and crypt|sha|md5.
> Even when you have "interoperability", their implementation is so
> hosered, you can't achieve true seemless integration.

Apart from Win9X and earleir clients (and I'm not 100% on exactly which versions)
you should be able to implement this, either as a 'unix password sync' program 
or a patch to passdb/pdb_get_set.c:pdb_set_plaintext_password() and to 
passdb/pdb_ldap.c.  (That is, keep the paintext in the SAM_ACCOUNT, and
just set the extra attributes in init_ldap_from_sam()).

Andrew Bartlett