clearTextPassword attribute

Andrew Bartlett abartlet at
Wed Oct 28 10:45:22 MDT 2009

On Wed, 2009-10-28 at 18:09 +0200, Nadezhda Ivanova wrote:
> Hi Matthias,
> Unfortunately the similarity between clearTextPassword and unicodePwd
> does not help in this case, because we do not not care whatsoever
> about syntax or function, only access rights granted. In 99% of the
> cases we rely on the dfeaultSecurtyDescriptor or inherited ACEs to
> determine access, and by default we may have rights given to principal
> self or administrator over unicodePwd, but never on clearTextPassword.
> I suppose I could, in acl module, handle clearTextPassword explicitly
> by checking for the rights of unicodePwd instead, but it will be an
> ugly hack... And the whole idea of being allowed to use an attribute
> that is not actually in the schema breaks a ground rule...

And a hack you should use.  I got the name clearTextPassword from
Microsoft's own docs.  Just apply the same rights as unicodePwd to any
update to userPassword, clearTextPassword, unicodePwd or dbcsPwd.  

In short, password handling is special, particularly once you get to
password changes. 

I would expect this is actually a special right, but perhaps they just
use unicodePwd. 

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list