[s4] Passwords work

Andrew Bartlett abartlet at samba.org
Fri Dec 18 14:20:51 MST 2009 

On Fri, 2009-12-18 at 10:38 +0100, Matthias Dieter Wallnöfer wrote:
> I would like to inform you (s4 developers) that my password work has 
> been finished. The "samdb_set_password" call is cleaned up (only the 
> essential instructions) and all the other checks moved to the 
> "password_hash" LDB module.
> The reason for this is that AD supports the password handling not only 
> over the RPCs or KERBEROS ("samdb_set_password" in our case) but also 
> directly by LDAP attribute manipulation. With my patchset we should 
> always be safe now regarding the policies (since previously we weren't 
> on direct LDAP changes).
> To be interoperable with the "real AD" I implemented the behaviour 
> according to MS-ADTS 3.1.1.3.1.5. In addition to the specification which 
> seems to allow password changes only by the "unicodePwd" and 
> "userPassword" attribute, my patch supports them also through 
> "clearTextPassword" and "dBCSPwd" (if LANMAN auth is enabled). I added 
> this for completeness and it didn't make a lot of difference to 
> implement also this.
> The tree is located at 
> http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/passwords and 
> passes "make test".

Thankyou so much for your persistence with this work.  This looks really
good, and I look forward to merging it!

The things I would suggest need to be done before we merge:
 - Tests: - we need tests of the LDAP password set and change behaviour
 - unicodePwd - we need to get rid of the 'autodetection' between
"password" and 16 byte hash value.  This I think should be replaced with
a control indicating 'hash values being set' (which scripts such as the
upgradeprovision and parts of the SAMR password change code could then
set). 

I also just need to look over the patch more carefully, with a
particular eye to security holes. 

Thanks!

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091219/c42072c0/attachment.pgp>

More information about the samba-technical mailing list