User can't change password bit ?

Guenther Deschner gd at
Thu Jul 6 15:44:33 GMT 2006

Hi Jerry,

On Thu, Jul 06, 2006 at 11:43:35AM +1000, Andrew Bartlett wrote:
> On Wed, 2006-07-05 at 20:24 -0500, Gerald (Jerry) Carter wrote:
> > Hash: SHA1
> > 
> > Andrew Bartlett wrote:
> > 
> > >> Since we moved to 32-bit acb flags, do you feel
> > >> better about the proposed patch ?  Could we just grab one
> > >> of the high order bits and hope ?
> > > 
> > > Microsoft is still expanding this bitfield.  All the bits up to
> > > 0x0080000 are used already.  (See samr.idl).
> > 
> > Yes I know.  Do you have a better suggestion without
> > implementing full security descriptors?
> A samba-specific additional attribute in LDAP, where we can store other
> flags not well-represented by windows attributes?  Or a custom
> privilege?

Hm, I'm just a bit afraid of internal samba LDAP attributes and their
future changes. When we would implement that using security descriptors we
would have some information overhead on the one side but would be sure
that we just need to change the LDAP schema once when saving it just as a
blob (similiar to the mungedDial). When using an samba LDAP attribute I'm
just afraid that we're wanting to change it or it's implementation sooner
or later which gets a bit painful.

If you think real security descriptors are too much overhead then we could
use the 0x80000000 bit and make sure pdb_get_acct_ctrl never gives that
out. While writing this I realize this will always be hacky...


Günther Deschner                    GPG-ID: 8EE11688
Novell / SUSE Labs                        gd at
Samba Team                              gd at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list