[s4] Passwords work
Matthias Dieter Wallnöfer
mdw at samba.org
Fri Dec 18 02:38:51 MST 2009
I would like to inform you (s4 developers) that my password work has
been finished. The "samdb_set_password" call is cleaned up (only the
essential instructions) and all the other checks moved to the
"password_hash" LDB module.
The reason for this is that AD supports the password handling not only
over the RPCs or KERBEROS ("samdb_set_password" in our case) but also
directly by LDAP attribute manipulation. With my patchset we should
always be safe now regarding the policies (since previously we weren't
on direct LDAP changes).
To be interoperable with the "real AD" I implemented the behaviour
according to MS-ADTS 3.1.1.3.1.5. In addition to the specification which
seems to allow password changes only by the "unicodePwd" and
"userPassword" attribute, my patch supports them also through
"clearTextPassword" and "dBCSPwd" (if LANMAN auth is enabled). I added
this for completeness and it didn't make a lot of difference to
implement also this.
The tree is located at
http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/passwords and
passes "make test".
In my eyes the last task left to do is to enhance the ACL module to make
sure who has the privileges to change a password or who hasn't. This is
also specified in MS-ADTS 3.1.1.3.1.5. I hope that Nadja is interested
to perform this last task (since I'm really not specialist regarding ACLs).
Of course on qustions and concerns please ask!
Matthias
More information about the samba-technical
mailing list