Winbindd change password request

Alexey Kobozev cobedump at gmail.com
Thu Jun 8 16:41:37 GMT 2006


Andrew,

Great, I'll hopefully post the patch during the next week.

And one more question. There is an Active Directory search
functionality in winbind, but it's not available through
request/response interface. So, I think it is one more thing
that could be extremely useful for applications that use Samba
for integration with windows on *nix environment.

I'll prepare the patch for this as well, so we'll be able to
discuss it more closely.

Thanks.
-Alexey

Andrew Bartlett wrote:
> On Wed, 2006-06-07 at 13:06 +0200, Alexey Kobozev wrote:
>> Hi list!
>>
>> I'm implementing the authentication against AD using MSCHAPv2
>> protocol including the password change. As far as I see the
>> latest Samba has the only plain text password change request
>> to winbindd - WINBINDD_PAM_CHAUTHTOK, but during MSCHAPv2
>> change password I don't have an old plaintext password.
>>
>> I've checked the sources and it seems to me quite simple task.
>> WINBINDD_PAM_CHAUTHTOK converts new and old plain text password
>> to 4 pieces: new_nt_password, old_nt_hash_enc, new_lm_password and
>> old_lanman_hash_enc -> then sends request through RPC. During the
>> MSCHAPv2 I already has these 4 parameters, so I just need an ability
>> to send them through the winbindd request.
>>
>>
>> So my question is are you guys planning to implement this
>> functionality? Or can this be available as a patch or a part of
>> next release?
> 
> So, the best way to do this would be to extend ntlm_auth with a new
> helper protocol, which supplies these parameters.  Then the winbind
> protocol can be extended, and the backend fixed up.
> 
> I'm happy to help review patches to do this.
> 
> Andrew Bartlett


More information about the samba-technical mailing list