s4 password changes

Nadezhda Ivanova nivanova at samba.org
Mon Aug 16 12:37:36 MDT 2010 

Hi Matthias,
I suppose we can make that exception, until we clarify the issue further.
Information in MS-SAMR is - at least for now - confusing. We have this:
3.1.2.2   AD Access Checks in DC Configuration
  Unless otherwise specified, the create, update, delete, and read access
checks enforced by the MS-
  ADTS data model (specified in [MS-ADTS] section 5.1.3) are not enforced
during the message
  processing of this protocol.

And after that we have this:


3.1.4.1    Default Access
  Information about the default access control (expressed in the default
security descriptor) on user,
  group, alias, domain, and server objects is specified in [MS-ADTS] section
3.1.1.2. This is
  significant because this server MUST use the security descriptor from the
[MS-ADTS] data model to
  determine whether the client has access to perform the requested
operation. If, for example, a
  client opens a domain object with SamrOpenDomain requesting
  DOMAIN_READ_PASSWORD_PROPERTIES, SamrOpenDomain uses the [MS-ADTS] data
model
  security descriptor to determine whether the client has access to read
password-related properties.

If the current state is introducing a security issue, I think we can do what
you suggest until we find a better way.

Regards,
Nadya

On Mon, Aug 16, 2010 at 9:01 PM, Matthias Dieter Wallnöfer <mdw at samba.org>wrote:

> Nadya,
>
> you might be right on most cases, but here I would like to recall some
> facts:
> - The password checking is a quite complex procedure and I would like to
> have it in just one place (to don't have redundancies and inconsitencies).
> - And I think you didn't understand the side-effect, I mean, why I want to
> have the user password changes with user rights: the possibility to disable
> password changes.
> If you disable them under ADUC on Windows Server, then you will notice that
> the security descriptor changes (on the ACE "Self" the "password changes"
> are denied). And this will naturally be also enforced on SAMR!
>
> Therefore I would really appreciate it, if we could make an exception in
> this case.
>
> Matthias
>
> Nadezhda Ivanova wrote:
>
>> Hi Matthias,
>> As I explained in my email regarding disabling anonymous access, some
>> researched showed that the ldap access checks we currently have implemented
>> in ldb must not be applied to other protocols, as they are LDAP specific.
>> This is explicitly stated in the MS-SAMR document, actually. It would be
>> similar to applying file access checks on directory objects, quite a mess.
>> Therefore we should continue using system session for the password reset in
>> SAMR. In fact, after some discussion with Tridge, I made all SAMR methods
>> use the system session, and enforce an access check for administrative
>> rights before the calls to ldb. The same will have to be done with other
>> protocols where we see problems. I'll be pushing this and other things
>> related to this problem in my branch today or tomorrow and send them for
>> discussion.  This means that you will not need to handle the control in acl
>> module.
>>
>> Regards,
>> Nadya
>>
>> On Mon, Aug 16, 2010 at 8:12 PM, Matthias Dieter Wallnöfer <mdw at samba.org<mailto:
>> mdw at samba.org>> wrote:
>>
>>    Hi Nadya, metze, abartlet,
>>
>>    lately I restarted the effort to solve the s4 password change ACL
>>    problem and I come now up with a slightly different, but cleaner
>>    solution. The big difference now consists in the fact that the
>>    control PASSWORD_CHANGE_PW_CHECKED has been renamed to
>>    PASSWORD_CHANGE and does now also carry the old password as a NT
>>    hash and/or LM hash in the following way:
>>
>>    (samdb.h)
>>
>>        #define DSDB_CONTROL_PASSWORD_CHANGE_OID "1.3.6.1.4.1.7165.4.3.10"
>>        +struct dsdb_control_password_change {
>>        +       const struct samr_Password *old_nt_pwd_hash;
>>        +       const struct samr_Password *old_lm_pwd_hash;
>>        +};
>>        +
>>
>>    The password_hash module does then proof these. I hope that this
>>    will finally meet your concerns, Nadya.
>>
>>    The whole patchset is to be found under
>>    http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/stuff or
>>
>> http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=shortlog;h=refs/heads/stuff
>> .
>>
>>    Matthias
>>
>>
>>
>

More information about the samba-technical mailing list