samrValidatePassword samdb_set_password()
Matthias Dieter Wallnöfer
mdw at samba.org
Tue Sep 29 02:21:19 MDT 2009
Hi tridge,
the "samdb_set_password" call is currently a disaster in my eyes. The
major part of the functionality should move to our "password_hash"
module. This is strictly needed since without it the setting of
passwords over LDB/LDAP doesn't enforce the policies (only those set
over SAMR and kpasswd do at the moment). I started an experimental patch
in a personal branch - but it needs testing and more rework.
Very good to inform me about this "samrValidatePassword" call - I don't
know what would be the best to implement this. One possibility would be
to first add a temporary user account (I imagine that the "account"
parameter is exactly the name for this one - a type of hash), try to set
the password, let the password be checked by the "password_hash", delete
this created account - and return the result.
Matthias
tridge at samba.org schrieb:
> Hi Matthias,
>
> Andrew mentioned that you are working in this area, so I thought I'd
> ask you first before starting on the code.
>
> When I try to join w2k3 to s4 as an additional DC, it fails soon after
> w2k3 sends us a samrValidatePassword() call which we fault (we don't
> implement it in rpc_server/samr/dcesrv_samr.c).
>
> Looking at the WSPP [MS-SAMR] docs, this call is used to remotely
> check the strength of a password. It doesn't actually set a password,
> just checks that it passes the DCs strength checks (age, complexity
> etc).
>
> Our code implements that currently in samdb_set_password() in
> dsdb/common/util.c, but I think we now need to split it out into a
> function that validates password strength without any intention to set
> the password. We'd then use that in samdb_set_password() as well as in
> samr_ValidatePassword().
>
> Is Andrew right that you working in this area? Should I leave this one
> to you?
>
> In case you are interested, here is the request I get from w2k3 when
> using dcpromo to join it to a s4 domain:
>
> 67: struct samr_ValidatePassword
> in: struct samr_ValidatePassword
> level : NetValidatePasswordReset (3)
> req : *
> req : union samr_ValidatePasswordReq(case 3)
> req3: struct samr_ValidatePasswordReq3
> info: struct samr_ValidatePasswordInfo
> fields_present : 0x00000000 (0)
> 0: SAMR_VALIDATE_FIELD_PASSWORD_LAST_SET
> 0: SAMR_VALIDATE_FIELD_BAD_PASSWORD_TIME
> 0: SAMR_VALIDATE_FIELD_LOCKOUT_TIME
> 0: SAMR_VALIDATE_FIELD_BAD_PASSWORD_COUNT
> 0: SAMR_VALIDATE_FIELD_PASSWORD_HISTORY_LENGTH
> 0: SAMR_VALIDATE_FIELD_PASSWORD_HISTORY
> last_password_change : NTTIME(0)
> bad_password_time : NTTIME(0)
> lockout_time : NTTIME(0)
> bad_pwd_count : 0x00000000 (0)
> pwd_history_len : 0x00000000 (0)
> pwd_history : NULL
> password: struct lsa_StringLarge
> length : 0x000e (14)
> size : 0x0010 (16)
> string : *
> string : 'penguin'
> account: struct lsa_StringLarge
> length : 0x005e (94)
> size : 0x0060 (96)
> string : *
> string : 'aklsdjiwuerowierlkmclknlaksjdqweiquroijlkasjlkq'
> hash: struct samr_ValidationBlob
> length : 0x00000000 (0)
> data : NULL
> pwd_must_change_at_next_logon: 0x00 (0)
> clear_lockout : 0x00 (0)
>
> the 'account' string seems to be a dummy, we should just look at the
> 'password' string.
>
> Cheers, Tridge
>
>
More information about the samba-technical
mailing list