samrValidatePassword samdb_set_password()
tridge at samba.org
tridge at samba.org
Tue Sep 29 01:27:36 MDT 2009
Hi Matthias,
Andrew mentioned that you are working in this area, so I thought I'd
ask you first before starting on the code.
When I try to join w2k3 to s4 as an additional DC, it fails soon after
w2k3 sends us a samrValidatePassword() call which we fault (we don't
implement it in rpc_server/samr/dcesrv_samr.c).
Looking at the WSPP [MS-SAMR] docs, this call is used to remotely
check the strength of a password. It doesn't actually set a password,
just checks that it passes the DCs strength checks (age, complexity
etc).
Our code implements that currently in samdb_set_password() in
dsdb/common/util.c, but I think we now need to split it out into a
function that validates password strength without any intention to set
the password. We'd then use that in samdb_set_password() as well as in
samr_ValidatePassword().
Is Andrew right that you working in this area? Should I leave this one
to you?
In case you are interested, here is the request I get from w2k3 when
using dcpromo to join it to a s4 domain:
67: struct samr_ValidatePassword
in: struct samr_ValidatePassword
level : NetValidatePasswordReset (3)
req : *
req : union samr_ValidatePasswordReq(case 3)
req3: struct samr_ValidatePasswordReq3
info: struct samr_ValidatePasswordInfo
fields_present : 0x00000000 (0)
0: SAMR_VALIDATE_FIELD_PASSWORD_LAST_SET
0: SAMR_VALIDATE_FIELD_BAD_PASSWORD_TIME
0: SAMR_VALIDATE_FIELD_LOCKOUT_TIME
0: SAMR_VALIDATE_FIELD_BAD_PASSWORD_COUNT
0: SAMR_VALIDATE_FIELD_PASSWORD_HISTORY_LENGTH
0: SAMR_VALIDATE_FIELD_PASSWORD_HISTORY
last_password_change : NTTIME(0)
bad_password_time : NTTIME(0)
lockout_time : NTTIME(0)
bad_pwd_count : 0x00000000 (0)
pwd_history_len : 0x00000000 (0)
pwd_history : NULL
password: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'penguin'
account: struct lsa_StringLarge
length : 0x005e (94)
size : 0x0060 (96)
string : *
string : 'aklsdjiwuerowierlkmclknlaksjdqweiquroijlkasjlkq'
hash: struct samr_ValidationBlob
length : 0x00000000 (0)
data : NULL
pwd_must_change_at_next_logon: 0x00 (0)
clear_lockout : 0x00 (0)
the 'account' string seems to be a dummy, we should just look at the
'password' string.
Cheers, Tridge
More information about the samba-technical
mailing list