[s4] Passwords work

Matthias Dieter Wallnöfer mdw at samba.org
Mon Dec 21 05:01:16 MST 2009


Hi Andrew,

Andrew Bartlett wrote:
>   - unicodePwd - we need to get rid of the 'autodetection' between
> "password" and 16 byte hash value.  This I think should be replaced with
> a control indicating 'hash values being set' (which scripts such as the
> upgradeprovision and parts of the SAMR password change code could then
> set).
>    
I would keep this at it is! Since first the more controls we have, the 
more complicated a task is in my eyes. And a very important second 
point: We need to keep compatibility with Windows Server ADs: They allow 
both password types (hash or cleartext) exactly through this attribute 
(consider the MS-ADTS guide). And that also from an external point of 
view - so not only internally! Therefore certain sysadmins/users could 
script or have scripted password changes using this attribute 
(especially before Windows Server 2003 domain mode this has been the 
only change possibility over LDAP I think)!
> I also just need to look over the patch more carefully, with a
> particular eye to security holes.
>    
I look forward to get your response to do the restant tests and adaptions!

Matthias


More information about the samba-technical mailing list