samrValidatePassword samdb_set_password()

tridge at tridge at
Tue Sep 29 15:02:38 MDT 2009

Hi Matthias,

 > the "samdb_set_password" call is currently a disaster in my eyes. The 
 > major part of the functionality should move to our "password_hash" 
 > module.

I don't think it should move to the ldb module, but parts of it should
be called by the ldb module. 

 > Very good to inform me about this "samrValidatePassword" call - I don't 
 > know what would be the best to implement this. One possibility would be 
 > to first add a temporary user account (I imagine that the "account" 
 > parameter is exactly the name for this one - a type of hash), try to set 
 > the password, let the password be checked by the "password_hash", delete 
 > this created account - and return the result.

Please don't do that!

All we need is to take the core of the samdb_set_password() function
and split it out into a samdb_validate_password() function. The
samdb_validate_password() would not take an account name, and would
just check the various password strength rules that
samdb_set_password() currently checks, returning a NTSTATUS, plus a
samr_RejectReason code.

That function can then be called from the 3 places we need to do
password strength testing:

 - from the password_hash ldb module

 - from samdb_set_password()

 - from samr_ValidatePassword()

In general I like to keep our ldb modules simple, and call out to
utility functions to do complex work like this.

Cheers, Tridge

More information about the samba-technical mailing list