s4 password changes

Nadezhda Ivanova nivanova at samba.org
Mon Aug 16 12:52:27 MDT 2010

Hi Matthias,
You are correct, the AD security descriptors are taken into account for
group, alias and user objects. This means that we should use the user
credentials for ops like changing the password and apply the access checks.
In any case, I am OK with the new version of the control.


On Mon, Aug 16, 2010 at 9:37 PM, Nadezhda Ivanova <nivanova at samba.org>wrote:

> Hi Matthias,
> I suppose we can make that exception, until we clarify the issue further.
> Information in MS-SAMR is - at least for now - confusing. We have this:
>   AD Access Checks in DC Configuration
>   Unless otherwise specified, the create, update, delete, and read access
> checks enforced by the MS-
>   ADTS data model (specified in [MS-ADTS] section 5.1.3) are not enforced
> during the message
>   processing of this protocol.
> And after that we have this:
>    Default Access
>   Information about the default access control (expressed in the default
> security descriptor) on user,
>   group, alias, domain, and server objects is specified in [MS-ADTS]
> section This is
>   significant because this server MUST use the security descriptor from the
> [MS-ADTS] data model to
>   determine whether the client has access to perform the requested
> operation. If, for example, a
>   client opens a domain object with SamrOpenDomain requesting
>   DOMAIN_READ_PASSWORD_PROPERTIES, SamrOpenDomain uses the [MS-ADTS] data
> model
>   security descriptor to determine whether the client has access to read
> password-related properties.
> If the current state is introducing a security issue, I think we can do
> what you suggest until we find a better way.
> Regards,
> Nadya
> On Mon, Aug 16, 2010 at 9:01 PM, Matthias Dieter Wallnöfer <mdw at samba.org>wrote:
>> Nadya,
>> you might be right on most cases, but here I would like to recall some
>> facts:
>> - The password checking is a quite complex procedure and I would like to
>> have it in just one place (to don't have redundancies and inconsitencies).
>> - And I think you didn't understand the side-effect, I mean, why I want to
>> have the user password changes with user rights: the possibility to disable
>> password changes.
>> If you disable them under ADUC on Windows Server, then you will notice
>> that the security descriptor changes (on the ACE "Self" the "password
>> changes" are denied). And this will naturally be also enforced on SAMR!
>> Therefore I would really appreciate it, if we could make an exception in
>> this case.
>> Matthias
>> Nadezhda Ivanova wrote:
>>> Hi Matthias,
>>> As I explained in my email regarding disabling anonymous access, some
>>> researched showed that the ldap access checks we currently have implemented
>>> in ldb must not be applied to other protocols, as they are LDAP specific.
>>> This is explicitly stated in the MS-SAMR document, actually. It would be
>>> similar to applying file access checks on directory objects, quite a mess.
>>> Therefore we should continue using system session for the password reset in
>>> SAMR. In fact, after some discussion with Tridge, I made all SAMR methods
>>> use the system session, and enforce an access check for administrative
>>> rights before the calls to ldb. The same will have to be done with other
>>> protocols where we see problems. I'll be pushing this and other things
>>> related to this problem in my branch today or tomorrow and send them for
>>> discussion.  This means that you will not need to handle the control in acl
>>> module.
>>> Regards,
>>> Nadya
>>> On Mon, Aug 16, 2010 at 8:12 PM, Matthias Dieter Wallnöfer <
>>> mdw at samba.org <mailto:mdw at samba.org>> wrote:
>>>    Hi Nadya, metze, abartlet,
>>>    lately I restarted the effort to solve the s4 password change ACL
>>>    problem and I come now up with a slightly different, but cleaner
>>>    solution. The big difference now consists in the fact that the
>>>    control PASSWORD_CHANGE_PW_CHECKED has been renamed to
>>>    PASSWORD_CHANGE and does now also carry the old password as a NT
>>>    hash and/or LM hash in the following way:
>>>    (samdb.h)
>>>        +struct dsdb_control_password_change {
>>>        +       const struct samr_Password *old_nt_pwd_hash;
>>>        +       const struct samr_Password *old_lm_pwd_hash;
>>>        +};
>>>        +
>>>    The password_hash module does then proof these. I hope that this
>>>    will finally meet your concerns, Nadya.
>>>    The whole patchset is to be found under
>>>    http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/stuff or
>>> http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=shortlog;h=refs/heads/stuff
>>> .
>>>    Matthias

More information about the samba-technical mailing list