samrValidatePassword samdb_set_password()

tridge at tridge at
Tue Sep 29 01:27:36 MDT 2009

Hi Matthias,

Andrew mentioned that you are working in this area, so I thought I'd
ask you first before starting on the code.

When I try to join w2k3 to s4 as an additional DC, it fails soon after
w2k3 sends us a samrValidatePassword() call which we fault (we don't
implement it in rpc_server/samr/dcesrv_samr.c). 

Looking at the WSPP [MS-SAMR] docs, this call is used to remotely
check the strength of a password. It doesn't actually set a password,
just checks that it passes the DCs strength checks (age, complexity

Our code implements that currently in samdb_set_password() in
dsdb/common/util.c, but I think we now need to split it out into a
function that validates password strength without any intention to set
the password. We'd then use that in samdb_set_password() as well as in

Is Andrew right that you working in this area? Should I leave this one
to you?

In case you are interested, here is the request I get from w2k3 when
using dcpromo to join it to a s4 domain:

   67: struct samr_ValidatePassword
        in: struct samr_ValidatePassword
            level                    : NetValidatePasswordReset (3)
            req                      : *
                req                      : union samr_ValidatePasswordReq(case 3)
                req3: struct samr_ValidatePasswordReq3
                    info: struct samr_ValidatePasswordInfo
                        fields_present           : 0x00000000 (0)
                               0: SAMR_VALIDATE_FIELD_PASSWORD_LAST_SET
                               0: SAMR_VALIDATE_FIELD_BAD_PASSWORD_TIME
                               0: SAMR_VALIDATE_FIELD_LOCKOUT_TIME
                               0: SAMR_VALIDATE_FIELD_BAD_PASSWORD_COUNT
                               0: SAMR_VALIDATE_FIELD_PASSWORD_HISTORY_LENGTH
                               0: SAMR_VALIDATE_FIELD_PASSWORD_HISTORY
                        last_password_change     : NTTIME(0)
                        bad_password_time        : NTTIME(0)
                        lockout_time             : NTTIME(0)
                        bad_pwd_count            : 0x00000000 (0)
                        pwd_history_len          : 0x00000000 (0)
                        pwd_history              : NULL
                    password: struct lsa_StringLarge
                        length                   : 0x000e (14)
                        size                     : 0x0010 (16)
                        string                   : *
                            string                   : 'penguin'
                    account: struct lsa_StringLarge
                        length                   : 0x005e (94)
                        size                     : 0x0060 (96)
                        string                   : *
                            string                   : 'aklsdjiwuerowierlkmclknlaksjdqweiquroijlkasjlkq'
                    hash: struct samr_ValidationBlob
                        length                   : 0x00000000 (0)
                        data                     : NULL
                    pwd_must_change_at_next_logon: 0x00 (0)
                    clear_lockout            : 0x00 (0)

the 'account' string seems to be a dummy, we should just look at the
'password' string.

Cheers, Tridge

More information about the samba-technical mailing list