Implementing LDAP Passwd sync [was] Re: NT Password Change Behavior

Matt Pavlovich mpav at
Wed Mar 20 13:49:01 GMT 2002

> Apart from Win9X and earleir clients (and I'm not 100% on exactly which versions)
> you should be able to implement this, either as a 'unix password sync' program 
> or a patch to passdb/pdb_get_set.c:pdb_set_plaintext_password() and to 
> passdb/pdb_ldap.c.  (That is, keep the paintext in the SAM_ACCOUNT, and
> just set the extra attributes in init_ldap_from_sam()).

Instead of trying to muck w/ the various LDAP password fields, I think I
will just implement the ldap exop (Supported by OpenLDAP and
Netscape/iPlanet) for changing the password.  That should work for
most-- exceptions will have to live with 'unix password sync'.

I see the following fields in the SAM_ACCOUNT definition:

 pstring unknown_str ; /* don't know what this is, yet. */
 uint32 unknown_3; /* 0x00ff ffff */
 uint32 unknown_5; /* 0x0002 0000 */
 uint32 unknown_6; /* 0x0000 04ec */

Will adding a new field to the SAM_ACCOUNT structure break anything?  ie
are there functions that access data via offsets, sizeof() etc?

Also, it looks as though password updates are handled just like any
other update to the account through pdb_update_samba_account().

local_password_change() calls -> pdb_update_samba_account()

If I add the exop to update the password every time
pdb_update_samba_account() runs, there will be cases in which that is
operation is not necassary.  Another option would be to add a boolean
field (PASSWORD_UPDATE) that is set in local_password_change(), and to
look for that when doing a pdb_update_samba_account().    

Preference?  Are there any other cases where a PASSWORD_UPDATED field
would be useful?

Matt Pavlovich

More information about the samba-technical mailing list