s4 password changes
Nadezhda Ivanova
nivanova at samba.org
Mon Aug 16 12:10:26 MDT 2010
Here is the wip branch:
http://gitweb.samba.org/?p=nivanova/samba.git;a=shortlog;h=refs/heads/aclsearch
I started by denying access to anonymous depending on dSHeuristics. The
tests that I wrote to ensure this is correct are passing, but a lot of other
things broke, such as samr tests, lsa, secure channel, ldb tests, because
they were no longer able to read necessary data from the database. I will
send more details later.
Regards,
Nadya
On Mon, Aug 16, 2010 at 8:47 PM, Nadezhda Ivanova <nivanova at samba.org>wrote:
> Hi Matthias,
> As I explained in my email regarding disabling anonymous access, some
> researched showed that the ldap access checks we currently have implemented
> in ldb must not be applied to other protocols, as they are LDAP specific.
> This is explicitly stated in the MS-SAMR document, actually. It would be
> similar to applying file access checks on directory objects, quite a mess.
> Therefore we should continue using system session for the password reset in
> SAMR. In fact, after some discussion with Tridge, I made all SAMR methods
> use the system session, and enforce an access check for administrative
> rights before the calls to ldb. The same will have to be done with other
> protocols where we see problems. I'll be pushing this and other things
> related to this problem in my branch today or tomorrow and send them for
> discussion. This means that you will not need to handle the control in acl
> module.
>
> Regards,
> Nadya
>
>
> On Mon, Aug 16, 2010 at 8:12 PM, Matthias Dieter Wallnöfer <mdw at samba.org>wrote:
>
>> Hi Nadya, metze, abartlet,
>>
>> lately I restarted the effort to solve the s4 password change ACL problem
>> and I come now up with a slightly different, but cleaner solution. The big
>> difference now consists in the fact that the control
>> PASSWORD_CHANGE_PW_CHECKED has been renamed to PASSWORD_CHANGE and does now
>> also carry the old password as a NT hash and/or LM hash in the following
>> way:
>>
>> (samdb.h)
>>
>>> #define DSDB_CONTROL_PASSWORD_CHANGE_OID "1.3.6.1.4.1.7165.4.3.10"
>>> +struct dsdb_control_password_change {
>>> + const struct samr_Password *old_nt_pwd_hash;
>>> + const struct samr_Password *old_lm_pwd_hash;
>>> +};
>>> +
>>>
>> The password_hash module does then proof these. I hope that this will
>> finally meet your concerns, Nadya.
>>
>> The whole patchset is to be found under
>> http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/stuff or
>> http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=shortlog;h=refs/heads/stuff
>> .
>>
>> Matthias
>>
>
>
More information about the samba-technical
mailing list