s3-netlogon: implement _netr_ServerPasswordSet2.

Guenther Deschner gd at samba.org
Wed Sep 2 06:31:37 MDT 2009 

Hi Andrew,

On Wed, Sep 02, 2009 at 09:24:48PM +1000, Andrew Bartlett wrote:
> On Wed, 2009-09-02 at 03:48 -0500, Günther Deschner wrote:
> > commit 2b8afd2257d8c9886f785929ca8dfcd04eb45755
> > Author: Günther Deschner <gd at samba.org>
> > Date:   Thu Aug 27 23:30:50 2009 +0200
> > 
> >     s3-netlogon: implement _netr_ServerPasswordSet2.
> >     
> >     Guenther
> 
> How do you propose to handle the random data windows feeds to this
> function?  You cannot convert the password given here into UTF8 - you
> must MD4 the original buffer. 

If you look at one of the preceding patches you'd see that we do exactly
that: MD4 the original buffer. We ever only handle the cleartext if we can
decode the buffer (just as Samba4 does). Also, Samba3 does not store clear
text passwords at all so it's just fine to store generated hashes.

> (Also, why try to implement this in Samba3?  It's needed for AD support,
> but given the pain it induces I don't see where it fits into a NT4 DC).

As you probably know we have clients out there (net & winbind) that have a
broken netr_ServerPasswordSet() client code path (see recent cred_hash3
removal during the netlogon auth client and server merge that finally
fixed it). So, instead of locking out those machines (after a server
successfully sets a password the client has incorrectly encrypted) it is
much better to allow those clients to set their machine password using
netr_ServerPasswordSet2 (client support for netr_ServerPasswordSet2 has
been added to Samba3 a long time ago already).

Are there any bad side-effects with that?

Guenther
-- 
Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner at redhat.com
Samba Team                              gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090902/12a575e1/attachment.pgp>

More information about the samba-technical mailing list