[s4] Passwords work
Matthias Dieter Wallnöfer
mdw at samba.org
Mon Dec 21 05:01:16 MST 2009
Hi Andrew,
Andrew Bartlett wrote:
> - unicodePwd - we need to get rid of the 'autodetection' between
> "password" and 16 byte hash value. This I think should be replaced with
> a control indicating 'hash values being set' (which scripts such as the
> upgradeprovision and parts of the SAMR password change code could then
> set).
>
I would keep this at it is! Since first the more controls we have, the
more complicated a task is in my eyes. And a very important second
point: We need to keep compatibility with Windows Server ADs: They allow
both password types (hash or cleartext) exactly through this attribute
(consider the MS-ADTS guide). And that also from an external point of
view - so not only internally! Therefore certain sysadmins/users could
script or have scripted password changes using this attribute
(especially before Windows Server 2003 domain mode this has been the
only change possibility over LDAP I think)!
> I also just need to look over the patch more carefully, with a
> particular eye to security holes.
>
I look forward to get your response to do the restant tests and adaptions!
Matthias
More information about the samba-technical
mailing list