s4: Let the "setpassword" script finally use the "samdb_set_password" routine

Andrew Bartlett abartlet at samba.org
Wed Sep 9 17:00:10 MDT 2009

On Wed, 2009-09-09 at 19:17 +0200, Matthias Dieter Wallnöfer wrote:
> Hi Andrew!
> I wanted to achieve that the "setpassword" tool uses the 
> "samdb_set_password" call so at least it should enforce now the password 
> policies.

But changing the client doesn't enforce the policies.  setpassword is a
client here (despite doing local DB interaction).  It should remain as
simple as possible, just like an LDAP client.  Policy enforcement
belongs in the server, so it applies to everything - LDAP clients
included (ie, it needs to be in the LDB modules, or something they

> Regarding "userPassword": on Windows Server 2003 I set it to a certain 
> value (hash) but wasn't able to login afterwards with it. Are you sure 
> that this attribute is also used for saving the login password?

It takes a plaintext UTF8 string as I understand it (and if it doesn't
that's what I want Samba to accept). 

The other attribute that can be set (and is used by Windows clients!) is
"unicodePwd" which takes a quoted unicode string, but that's a right
pain to construct in python. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090910/b2b1e3d6/attachment.pgp>

More information about the samba-technical mailing list