[s4] Passwords work
Nadezhda Ivanova
nadezhda.ivanova at postpath.com
Fri Dec 18 08:19:43 MST 2009
By the way, shouldn't we only be able to do that if we use ldap over ssl? I have a vague memory that windows does not let you do it via a non-encrypted connection, perhaps I am wrong...
----- Original Message -----
> From: samba-technical-bounces at lists.samba.org <samba-technical-bounces at lists.samba.org>
> To: samba-technical-bounces at lists.samba.org <samba-technical-bounces at lists.samba.org>, mdw at samba.org <mdw at samba.org>, samba-technical at lists.samba.org <samba-technical at lists.samba.org>, Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Sent: Friday, December 18, 2009 5:14:45 PM GMT+0200 Europe;Athens
> Subject: Re: [s4] Passwords work
> > Yeah, added to the long todo queue...
>
> ----- Original Message -----
> > From: samba-technical-bounces at lists.samba.org
> <samba-technical-bounces at lists.samba.org>
> > To: samba-technical <samba-technical at lists.samba.org>, Matthias
> Dieter Wallnöfer <mdw at samba.org>
> > Sent: Friday, December 18, 2009 11:34:15 AM GMT+0200 Europe;Athens
> > Subject: [s4] Passwords work
>
> > > I would like to inform you (s4 developers) that my password work
> has
> > been finished. The "samdb_set_password" call is cleaned up (only the
>
> > essential instructions) and all the other checks moved to the
> > "password_hash" LDB module.
> > The reason for this is that AD supports the password handling not
> only
> >
> > over the RPCs or KERBEROS ("samdb_set_password" in our case) but
> also
> > directly by LDAP attribute manipulation. With my patchset we should
> > always be safe now regarding the policies (since previously we
> weren't
> >
> > on direct LDAP changes).
> > To be interoperable with the "real AD" I implemented the behaviour
> > according to MS-ADTS 3.1.1.3.1.5. In addition to the specification
> > which
> > seems to allow password changes only by the "unicodePwd" and
> > "userPassword" attribute, my patch supports them also through
> > "clearTextPassword" and "dBCSPwd" (if LANMAN auth is enabled). I
> added
> >
> > this for completeness and it didn't make a lot of difference to
> > implement also this.
> > The tree is located at
> > http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/passwords and
> > passes "make test".
> >
> > In my eyes the last task left to do is to enhance the ACL module to
> > make
> > sure who has the privileges to change a password or who hasn't. This
>
> > is
> > also specified in MS-ADTS 3.1.1.3.1.5. I hope that Nadja is
> interested
> >
> > to perform this last task (since I'm really not specialist regarding
>
> > ACLs).
> >
> > Of course on qustions and concerns please ask!
> >
> > Matthias
More information about the samba-technical
mailing list