[s4] Passwords work
Nadezhda Ivanova
nadezhda.ivanova at postpath.com
Fri Dec 18 08:14:32 MST 2009
Yeah, added to the long todo queue...
----- Original Message -----
> From: samba-technical-bounces at lists.samba.org <samba-technical-bounces at lists.samba.org>
> To: samba-technical <samba-technical at lists.samba.org>, Matthias Dieter Wallnöfer <mdw at samba.org>
> Sent: Friday, December 18, 2009 11:34:15 AM GMT+0200 Europe;Athens
> Subject: [s4] Passwords work
> > I would like to inform you (s4 developers) that my password work has
> been finished. The "samdb_set_password" call is cleaned up (only the
> essential instructions) and all the other checks moved to the
> "password_hash" LDB module.
> The reason for this is that AD supports the password handling not only
>
> over the RPCs or KERBEROS ("samdb_set_password" in our case) but also
> directly by LDAP attribute manipulation. With my patchset we should
> always be safe now regarding the policies (since previously we weren't
>
> on direct LDAP changes).
> To be interoperable with the "real AD" I implemented the behaviour
> according to MS-ADTS 3.1.1.3.1.5. In addition to the specification
> which
> seems to allow password changes only by the "unicodePwd" and
> "userPassword" attribute, my patch supports them also through
> "clearTextPassword" and "dBCSPwd" (if LANMAN auth is enabled). I added
>
> this for completeness and it didn't make a lot of difference to
> implement also this.
> The tree is located at
> http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/passwords and
> passes "make test".
>
> In my eyes the last task left to do is to enhance the ACL module to
> make
> sure who has the privileges to change a password or who hasn't. This
> is
> also specified in MS-ADTS 3.1.1.3.1.5. I hope that Nadja is interested
>
> to perform this last task (since I'm really not specialist regarding
> ACLs).
>
> Of course on qustions and concerns please ask!
>
> Matthias
More information about the samba-technical
mailing list