s4 password changes

Nadezhda Ivanova nivanova at samba.org
Mon Aug 16 11:47:13 MDT 2010

Hi Matthias,
As I explained in my email regarding disabling anonymous access, some
researched showed that the ldap access checks we currently have implemented
in ldb must not be applied to other protocols, as they are LDAP specific.
This is explicitly stated in the MS-SAMR document, actually. It would be
similar to applying file access checks on directory objects, quite a mess.
Therefore we should continue using system session for the password reset in
SAMR. In fact, after some discussion with Tridge, I made all SAMR methods
use the system session, and enforce an access check for administrative
rights before the calls to ldb. The same will have to be done with other
protocols where we see problems. I'll be pushing this and other things
related to this problem in my branch today or tomorrow and send them for
discussion.  This means that you will not need to handle the control in acl


On Mon, Aug 16, 2010 at 8:12 PM, Matthias Dieter Wallnöfer <mdw at samba.org>wrote:

> Hi Nadya, metze, abartlet,
> lately I restarted the effort to solve the s4 password change ACL problem
> and I come now up with a slightly different, but cleaner solution. The big
> difference now consists in the fact that the control
> PASSWORD_CHANGE_PW_CHECKED has been renamed to PASSWORD_CHANGE and does now
> also carry the old password as a NT hash and/or LM hash in the following
> way:
> (samdb.h)
>> +struct dsdb_control_password_change {
>> +       const struct samr_Password *old_nt_pwd_hash;
>> +       const struct samr_Password *old_lm_pwd_hash;
>> +};
>> +
> The password_hash module does then proof these. I hope that this will
> finally meet your concerns, Nadya.
> The whole patchset is to be found under
> http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/stuff or
> http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=shortlog;h=refs/heads/stuff
> .
> Matthias

More information about the samba-technical mailing list