samrValidatePassword samdb_set_password()
Matthias Dieter Wallnöfer
mdw at samba.org
Wed Sep 30 02:17:16 MDT 2009
Hi abartlet,
about your email regarding the password handling of s4: you answered on a older post. Please consider this one as my new view/plan for implementing it:
Hi tridge!
tridge at samba.org schrieb:
> Hi Matthias,
>
> > the "samdb_set_password" call is currently a disaster in my eyes. The > major part of the functionality should move to our "password_hash" > module.
>
> I don't think it should move to the ldb module, but parts of it should
> be called by the ldb module.
>
To be honest I don't like the actual "samdb_set_password" call at all - if you consider my passwords private branch you notice a proposed patchset (not tested enough yet). I cleaned up the "samdb_set_password" call to really perform only the essential actions (basically a wrapper as the "samdb_set_password" call for python) - that in detail means 1.) to perform the LDB modifcation request with the password (not only the creation of it like now - since I changed the behaviour to check it now through the password_hash module), 2.) return of the dominfo structure and the reject result (if any).
What I could do is to refactor those mentioned checks (which I integrated for now in the "password_hash" module) in a samdb util call (as proposed by you) - but I would like to see it called only from the "password_hash" module itself and the "samrValidatePassword" call.
A call in "samdb_set_password" I see totally redundant. The same as you would launch this function from the python "samdb_set_password" method. (Only) The directory component should decide if the password fits for all possible access methods (SAMR calls, kpasswd, LDB/LDAP, python binding...) - since the AD itself is "the heart" of a AD DC. So we remain clear and extensible.
Matthias
More information about the samba-technical
mailing list