s4 password changes

Matthias Dieter Wallnöfer mdw at samba.org
Mon Aug 16 12:01:04 MDT 2010


Nadya,

you might be right on most cases, but here I would like to recall some 
facts:
- The password checking is a quite complex procedure and I would like to 
have it in just one place (to don't have redundancies and inconsitencies).
- And I think you didn't understand the side-effect, I mean, why I want 
to have the user password changes with user rights: the possibility to 
disable password changes.
If you disable them under ADUC on Windows Server, then you will notice 
that the security descriptor changes (on the ACE "Self" the "password 
changes" are denied). And this will naturally be also enforced on SAMR!

Therefore I would really appreciate it, if we could make an exception in 
this case.

Matthias

Nadezhda Ivanova wrote:
> Hi Matthias,
> As I explained in my email regarding disabling anonymous access, some 
> researched showed that the ldap access checks we currently have 
> implemented in ldb must not be applied to other protocols, as they are 
> LDAP specific. This is explicitly stated in the MS-SAMR document, 
> actually. It would be similar to applying file access checks on 
> directory objects, quite a mess. Therefore we should continue using 
> system session for the password reset in SAMR. In fact, after some 
> discussion with Tridge, I made all SAMR methods use the system 
> session, and enforce an access check for administrative rights before 
> the calls to ldb. The same will have to be done with other protocols 
> where we see problems. I'll be pushing this and other things related 
> to this problem in my branch today or tomorrow and send them for 
> discussion.  This means that you will not need to handle the control 
> in acl module.
>
> Regards,
> Nadya
>
> On Mon, Aug 16, 2010 at 8:12 PM, Matthias Dieter Wallnöfer 
> <mdw at samba.org <mailto:mdw at samba.org>> wrote:
>
>     Hi Nadya, metze, abartlet,
>
>     lately I restarted the effort to solve the s4 password change ACL
>     problem and I come now up with a slightly different, but cleaner
>     solution. The big difference now consists in the fact that the
>     control PASSWORD_CHANGE_PW_CHECKED has been renamed to
>     PASSWORD_CHANGE and does now also carry the old password as a NT
>     hash and/or LM hash in the following way:
>
>     (samdb.h)
>
>         #define DSDB_CONTROL_PASSWORD_CHANGE_OID "1.3.6.1.4.1.7165.4.3.10"
>         +struct dsdb_control_password_change {
>         +       const struct samr_Password *old_nt_pwd_hash;
>         +       const struct samr_Password *old_lm_pwd_hash;
>         +};
>         +
>
>     The password_hash module does then proof these. I hope that this
>     will finally meet your concerns, Nadya.
>
>     The whole patchset is to be found under
>     http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/stuff or
>     http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=shortlog;h=refs/heads/stuff.
>
>     Matthias
>
>



More information about the samba-technical mailing list