[s4] Passwords work

Matthias Dieter Wallnöfer mdw at samba.org
Fri Dec 18 11:11:52 MST 2009


Exactly Nadja, that's left to do (if you consider my patchset you find a TODO comment added on top of the "password_hash" module source file).
But I for the moment have no idea how to check for local or encrypted remote LDAP connections properly.

Matthias
By the way, shouldn't we only be able to do that if we use ldap over ssl? I have a vague memory that windows does not let you do it via a non-encrypted connection, perhaps I am wrong...

----- Original Message -----
> From: samba-technical-bounces at lists.samba.org <samba-technical-bounces at lists.samba.org>
> To: samba-technical-bounces at lists.samba.org <samba-technical-bounces at lists.samba.org>, mdw at samba.org <mdw at samba.org>, samba-technical at lists.samba.org <samba-technical at lists.samba.org>, Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Sent: Friday, December 18, 2009 5:14:45 PM GMT+0200 Europe;Athens
> Subject: Re: [s4] Passwords work

> > Yeah, added to the long todo queue...
> 
> ----- Original Message -----
> > From: samba-technical-bounces at lists.samba.org 
> <samba-technical-bounces at lists.samba.org>
> > To: samba-technical <samba-technical at lists.samba.org>, Matthias 
> Dieter Wallnöfer <mdw at samba.org>
> > Sent: Friday, December 18, 2009 11:34:15 AM GMT+0200 Europe;Athens
> > Subject: [s4] Passwords work
> 
> > > I would like to inform you (s4 developers) that my password work 
> has 
> > been finished. The "samdb_set_password" call is cleaned up (only the 
> 
> > essential instructions) and all the other checks moved to the 
> > "password_hash" LDB module.
> > The reason for this is that AD supports the password handling not 
> only 
> > 
> > over the RPCs or KERBEROS ("samdb_set_password" in our case) but 
> also 
> > directly by LDAP attribute manipulation. With my patchset we should 
> > always be safe now regarding the policies (since previously we 
> weren't 
> > 
> > on direct LDAP changes).
> > To be interoperable with the "real AD" I implemented the behaviour 
> > according to MS-ADTS 3.1.1.3.1.5. In addition to the specification 
> > which 
> > seems to allow password changes only by the "unicodePwd" and 
> > "userPassword" attribute, my patch supports them also through 
> > "clearTextPassword" and "dBCSPwd" (if LANMAN auth is enabled). I 
> added 
> > 
> > this for completeness and it didn't make a lot of difference to 
> > implement also this.
> > The tree is located at 
> > http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/passwords and 
> > passes "make test".
> > 
> > In my eyes the last task left to do is to enhance the ACL module to 
> > make 
> > sure who has the privileges to change a password or who hasn't. This 
> 
> > is 
> > also specified in MS-ADTS 3.1.1.3.1.5. I hope that Nadja is 
> interested 
> > 
> > to perform this last task (since I'm really not specialist regarding 
> 
> > ACLs).
> > 
> > Of course on qustions and concerns please ask!
> > 
> > Matthias


__________________________________________________
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen Massenmails. 
http://mail.yahoo.com 


More information about the samba-technical mailing list