[s4] Passwords work

Andrew Bartlett abartlet at samba.org
Mon Dec 21 23:43:18 MST 2009 

On Fri, 2009-12-18 at 10:38 +0100, Matthias Dieter Wallnöfer wrote: 
> I would like to inform you (s4 developers) that my password work has 
> been finished. The "samdb_set_password" call is cleaned up (only the 
> essential instructions) and all the other checks moved to the 
> "password_hash" LDB module.
> The reason for this is that AD supports the password handling not only 
> over the RPCs or KERBEROS ("samdb_set_password" in our case) but also 
> directly by LDAP attribute manipulation. With my patchset we should 
> always be safe now regarding the policies (since previously we weren't 
> on direct LDAP changes).
> To be interoperable with the "real AD" I implemented the behaviour 
> according to MS-ADTS 3.1.1.3.1.5. In addition to the specification which 
> seems to allow password changes only by the "unicodePwd" and 
> "userPassword" attribute, my patch supports them also through 
> "clearTextPassword" and "dBCSPwd" (if LANMAN auth is enabled). I added 
> this for completeness and it didn't make a lot of difference to 
> implement also this.
> The tree is located at 
> http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/passwords and 
> passes "make test".
> 
> In my eyes the last task left to do is to enhance the ACL module to make 
> sure who has the privileges to change a password or who hasn't. This is 
> also specified in MS-ADTS 3.1.1.3.1.5. I hope that Nadja is interested 
> to perform this last task (since I'm really not specialist regarding ACLs).
> 
> Of course on qustions and concerns please ask!

My biggest remaining concern is about error codes.  We should ensure
that we return the right error codes when password changes fail, or are
not permitted.  These need to be backed up with tests - for example, if
an LM password change is not permitted, we need to ensure we return the
same error despite if the user exists or does not.  

(We may already be doing that, if we check the restriction at both the
RPC and LDAP layers, but I just wanted to raise the class of issue).

I'll keep looking over these, particularly once we have some tests to
prove the new behaviours. 

Thanks for all the hard work you have put into this!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091222/5ab51169/attachment.pgp>

More information about the samba-technical mailing list