--with-cracklib for Samba

Andrew Bartlett abartlet at samba.org
Thu Jan 16 20:38:00 GMT 2003 

On Fri, 2003-01-17 at 06:43, Pierre Belanger wrote:
> Hi,
> 
> I need "expert" comments on the following, it's "kind of"
> related to "cracklib". I could dig another 3 hours in the
> code but I prefer to keep that 3 hours for cracklib ;-)
> 
> - rpc_server/srv_samr_nt.c line ~ 2836 & line ~ 2898 :
> 
>    /* update the UNIX password */
>    if (lp_unix_password_sync() )
>      if(!chgpasswd(pdb_get_username(pwd), "",
>        plaintext_buf, True)) {
>          pdb_free_sam(&pwd);
>          return False;
>        }
>      }
>    ZERO_STRUCT(plaintext_buf);
> 
>    if(!pdb_update_sam_account(pwd)) {
>      pdb_free_sam(&pwd);
>      return False;
>    }
> 
> 
>    [Q] can't we use change_oem_password()?
> 
> 
>    From smbd/chgpasswd.c line ~ 986. The only big
>    difference is the IS_SAM_UNIX_USER plus the
>    "become_root()" before calling pdb_update_sam_account().
>    [ My previous words is what I'd need to dig into... ]
> 
>    if(lp_unix_password_sync() && IS_SAM_UNIX_USER(hnd)
>      && !chgpasswd(pdb_get_username(hnd),
>      old_passwd, new_passwd, False)) {
>                  return NT_STATUS_ACCESS_DENIED;
>          }
> 
>          if (!pdb_set_plaintext_passwd (hnd, new_passwd)) {
>                  return NT_STATUS_ACCESS_DENIED;
>          }
> 
>          /* Now write it into the file. */
>          become_root();
>          ret = pdb_update_sam_account (hnd);
>          unbecome_root();
> 
> If we can use change_oem_password() in
>    rpc_server/srv_samr_nt.c
> then I guess we can also remove the following from
> smbd/chgpasswd.c ~ line 492 in chgpasswd() since we
> already check for this in change_oem_password() :
> 
>    /* Take the passed information and test it for minimum criteria */
>    /* Minimum password length */
>    if (strlen(newpass) < lp_min_passwd_length()) {
>          /* too short, must be at least MINPASSWDLENGTH */
>      DEBUG(0, ("Password Change: user %s, New password is shorter"
>                 "than minimum password length = %d\n",
>                 name, lp_min_passwd_length()));
>      return (False); /* inform the user */
>    }
> 
> 
> If we can't use it, is it because we want to skip the
> account_policy_get() in change_oem_password()? 

These are administrative password changes, so we do not want to impose
those kind of checks on the password.  The strlen stuff is historical,
and is mainly there because we might be talking to any vendor's
/bin/passwd, and we don't want their internal paranoia getting in our
way.  We can probably kill it.

> I'd also
> like to move from smbd/chgpasswd.c line 501 in chgpasswd()
> 
>          /* Password is same as old password */
>          if (strcmp(oldpass, newpass) == 0) {
> 
> to change_oem_password , so all "check / policy to change
> passwords would call from the same place".

It is very rare that we have the old password, so this check is
redundant most of the time.

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030116/6dd2fb03/attachment.bin

More information about the samba-technical mailing list