abartlet at samba.org
Wed Oct 28 10:45:22 MDT 2009
On Wed, 2009-10-28 at 18:09 +0200, Nadezhda Ivanova wrote:
> Hi Matthias,
> Unfortunately the similarity between clearTextPassword and unicodePwd
> does not help in this case, because we do not not care whatsoever
> about syntax or function, only access rights granted. In 99% of the
> cases we rely on the dfeaultSecurtyDescriptor or inherited ACEs to
> determine access, and by default we may have rights given to principal
> self or administrator over unicodePwd, but never on clearTextPassword.
> I suppose I could, in acl module, handle clearTextPassword explicitly
> by checking for the rights of unicodePwd instead, but it will be an
> ugly hack... And the whole idea of being allowed to use an attribute
> that is not actually in the schema breaks a ground rule...
And a hack you should use. I got the name clearTextPassword from
Microsoft's own docs. Just apply the same rights as unicodePwd to any
update to userPassword, clearTextPassword, unicodePwd or dbcsPwd.
In short, password handling is special, particularly once you get to
I would expect this is actually a special right, but perhaps they just
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the samba-technical