[s4] Passwords work
Andrew Bartlett
abartlet at samba.org
Mon Dec 21 15:27:20 MST 2009
On Mon, 2009-12-21 at 13:01 +0100, Matthias Dieter Wallnöfer wrote:
> Hi Andrew,
>
> Andrew Bartlett wrote:
> > - unicodePwd - we need to get rid of the 'autodetection' between
> > "password" and 16 byte hash value. This I think should be replaced with
> > a control indicating 'hash values being set' (which scripts such as the
> > upgradeprovision and parts of the SAMR password change code could then
> > set).
> >
> I would keep this at it is! Since first the more controls we have, the
> more complicated a task is in my eyes. And a very important second
> point: We need to keep compatibility with Windows Server ADs: They allow
> both password types (hash or cleartext) exactly through this attribute
> (consider the MS-ADTS guide).
Can you show me where in MS-ADTS it allows a user or administrator to
set a hash via this attribute?
The documentation in 3.1.1.3.1.5.1 describes only the quoted unicode
string form. Therefore, Samba's internal use of 'set a hash' needs to
be marked as a special internal modification (following different rules)
via a control.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091222/ca6506ce/attachment.pgp>
More information about the samba-technical
mailing list