[s4] Passwords work

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Fri Dec 18 08:14:32 MST 2009


Yeah, added to the long todo queue...

----- Original Message -----
> From: samba-technical-bounces at lists.samba.org <samba-technical-bounces at lists.samba.org>
> To: samba-technical <samba-technical at lists.samba.org>, Matthias Dieter Wallnöfer <mdw at samba.org>
> Sent: Friday, December 18, 2009 11:34:15 AM GMT+0200 Europe;Athens
> Subject: [s4] Passwords work

> > I would like to inform you (s4 developers) that my password work has 
> been finished. The "samdb_set_password" call is cleaned up (only the 
> essential instructions) and all the other checks moved to the 
> "password_hash" LDB module.
> The reason for this is that AD supports the password handling not only 
> 
> over the RPCs or KERBEROS ("samdb_set_password" in our case) but also 
> directly by LDAP attribute manipulation. With my patchset we should 
> always be safe now regarding the policies (since previously we weren't 
> 
> on direct LDAP changes).
> To be interoperable with the "real AD" I implemented the behaviour 
> according to MS-ADTS 3.1.1.3.1.5. In addition to the specification 
> which 
> seems to allow password changes only by the "unicodePwd" and 
> "userPassword" attribute, my patch supports them also through 
> "clearTextPassword" and "dBCSPwd" (if LANMAN auth is enabled). I added 
> 
> this for completeness and it didn't make a lot of difference to 
> implement also this.
> The tree is located at 
> http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/passwords and 
> passes "make test".
> 
> In my eyes the last task left to do is to enhance the ACL module to 
> make 
> sure who has the privileges to change a password or who hasn't. This 
> is 
> also specified in MS-ADTS 3.1.1.3.1.5. I hope that Nadja is interested 
> 
> to perform this last task (since I'm really not specialist regarding 
> ACLs).
> 
> Of course on qustions and concerns please ask!
> 
> Matthias


More information about the samba-technical mailing list