s4 password changes

Nadezhda Ivanova nivanova at samba.org
Mon Aug 16 12:10:26 MDT 2010

Here is the wip branch:

I started by denying access to anonymous depending on dSHeuristics. The
tests that I wrote to ensure this is correct are passing, but a lot of other
things broke, such as samr tests, lsa, secure channel, ldb tests, because
they were no longer able to read necessary data from the database. I will
send more details later.


On Mon, Aug 16, 2010 at 8:47 PM, Nadezhda Ivanova <nivanova at samba.org>wrote:

> Hi Matthias,
> As I explained in my email regarding disabling anonymous access, some
> researched showed that the ldap access checks we currently have implemented
> in ldb must not be applied to other protocols, as they are LDAP specific.
> This is explicitly stated in the MS-SAMR document, actually. It would be
> similar to applying file access checks on directory objects, quite a mess.
> Therefore we should continue using system session for the password reset in
> SAMR. In fact, after some discussion with Tridge, I made all SAMR methods
> use the system session, and enforce an access check for administrative
> rights before the calls to ldb. The same will have to be done with other
> protocols where we see problems. I'll be pushing this and other things
> related to this problem in my branch today or tomorrow and send them for
> discussion.  This means that you will not need to handle the control in acl
> module.
> Regards,
> Nadya
> On Mon, Aug 16, 2010 at 8:12 PM, Matthias Dieter Wallnöfer <mdw at samba.org>wrote:
>> Hi Nadya, metze, abartlet,
>> lately I restarted the effort to solve the s4 password change ACL problem
>> and I come now up with a slightly different, but cleaner solution. The big
>> difference now consists in the fact that the control
>> PASSWORD_CHANGE_PW_CHECKED has been renamed to PASSWORD_CHANGE and does now
>> also carry the old password as a NT hash and/or LM hash in the following
>> way:
>> (samdb.h)
>>> +struct dsdb_control_password_change {
>>> +       const struct samr_Password *old_nt_pwd_hash;
>>> +       const struct samr_Password *old_lm_pwd_hash;
>>> +};
>>> +
>> The password_hash module does then proof these. I hope that this will
>> finally meet your concerns, Nadya.
>> The whole patchset is to be found under
>> http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/stuff or
>> http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=shortlog;h=refs/heads/stuff
>> .
>> Matthias

More information about the samba-technical mailing list