samrValidatePassword samdb_set_password()

Matthias Dieter Wallnöfer mdw at
Tue Sep 29 15:34:01 MDT 2009

Hi tridge!

tridge at schrieb:
> Hi Matthias,
>  > the "samdb_set_password" call is currently a disaster in my eyes. The 
>  > major part of the functionality should move to our "password_hash" 
>  > module.
> I don't think it should move to the ldb module, but parts of it should
> be called by the ldb module.
To be honest I don't like the actual "samdb_set_password" call at all - 
if you consider my passwords private branch you notice a proposed 
patchset (not tested enough yet). I cleaned up the "samdb_set_password" 
call to really perform only the essential actions (basically a wrapper 
as the "samdb_set_password" call for python) - that in detail means 1.) 
to perform the LDB modifcation request with the password (not only the 
creation of it like now - since I changed the behaviour to check it now 
through the password_hash module), 2.) return of the dominfo structure 
and the reject result (if any).
What I could do is to refactor those mentioned checks (which I 
integrated for now in the "password_hash" module) in a samdb util call 
(as proposed by you) - but I would like to see it called only from the 
"password_hash" module itself and the "samrValidatePassword" call.
A call in "samdb_set_password" I see totally redundant. The same as you 
would launch this function from the python "samdb_set_password"  method. 
(Only) The directory component should decide if the password fits for 
all possible access methods (SAMR calls, kpasswd, LDB/LDAP, python 
binding...) - since the AD itself is "the heart" of a AD DC. So we 
remain clear and extensible.

>  > Very good to inform me about this "samrValidatePassword" call - I don't 
>  > know what would be the best to implement this. One possibility would be 
>  > to first add a temporary user account (I imagine that the "account" 
>  > parameter is exactly the name for this one - a type of hash), try to set 
>  > the password, let the password be checked by the "password_hash", delete 
>  > this created account - and return the result.
> Please don't do that!
> All we need is to take the core of the samdb_set_password() function
> and split it out into a samdb_validate_password() function. The
> samdb_validate_password() would not take an account name, and would
> just check the various password strength rules that
> samdb_set_password() currently checks, returning a NTSTATUS, plus a
> samr_RejectReason code.
> That function can then be called from the 3 places we need to do
> password strength testing:
>  - from the password_hash ldb module
>  - from samdb_set_password()
>  - from samr_ValidatePassword()
> In general I like to keep our ldb modules simple, and call out to
> utility functions to do complex work like this.
> Cheers, Tridge

More information about the samba-technical mailing list