samrValidatePassword samdb_set_password()

Andrew Bartlett abartlet at
Tue Sep 29 15:57:52 MDT 2009

On Tue, 2009-09-29 at 10:21 +0200, Matthias Dieter Wallnöfer wrote: 
> Hi tridge,
> the "samdb_set_password" call is currently a disaster in my eyes. The 
> major part of the functionality should move to our "password_hash" 
> module. This is strictly needed since without it the setting of 
> passwords over LDB/LDAP doesn't enforce the policies (only those set 
> over SAMR and kpasswd do at the moment). 

Well, we could just have a new module call back to the existing code,
rather than try a major rework here. 

> I started an experimental patch 
> in a personal branch - but it needs testing and more rework.
> Very good to inform me about this "samrValidatePassword" call - I don't 
> know what would be the best to implement this. One possibility would be 
> to first add a temporary user account (I imagine that the "account" 
> parameter is exactly the name for this one - a type of hash), try to set 
> the password, let the password be checked by the "password_hash", delete 
> this created account - and return the result.

I really don't think that's a good idea.  We need a way (perhaps an
extended operation) to check this without doing writes to the DB. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list