s4 password changes

Matthias Dieter Wallnöfer mdw at samba.org
Mon Aug 16 12:54:30 MDT 2010

Thanks, Nadya.

I am fully on your line regarding using SYSTEM access on SAMR and maybe 
also other pipes, but here - as said - it really makes a difference (and 
the read of the old password out from the DSDB is still done as SYSTEM).

Well, nice to have this cleared out. Then I still wait for abartlet's 
and/or metze's opinion about my patchset.


Nadezhda Ivanova wrote:
> Hi Matthias,
> I suppose we can make that exception, until we clarify the issue 
> further. Information in MS-SAMR is - at least for now - confusing. We 
> have this:
>   AD Access Checks in DC Configuration
>   Unless otherwise specified, the create, update, delete, and read 
> access checks enforced by the MS-
>   ADTS data model (specified in [MS-ADTS] section 5.1.3) are not 
> enforced during the message
>   processing of this protocol.
> And after that we have this:
>    Default Access
>   Information about the default access control (expressed in the 
> default security descriptor) on user,
>   group, alias, domain, and server objects is specified in [MS-ADTS] 
> section This is
>   significant because this server MUST use the security descriptor 
> from the [MS-ADTS] data model to
>   determine whether the client has access to perform the requested 
> operation. If, for example, a
>   client opens a domain object with SamrOpenDomain requesting
> data model
>   security descriptor to determine whether the client has access to 
> read password-related properties.
> If the current state is introducing a security issue, I think we can 
> do what you suggest until we find a better way.
> Regards,
> Nadya
> On Mon, Aug 16, 2010 at 9:01 PM, Matthias Dieter Wallnöfer 
> <mdw at samba.org <mailto:mdw at samba.org>> wrote:
>     Nadya,
>     you might be right on most cases, but here I would like to recall
>     some facts:
>     - The password checking is a quite complex procedure and I would
>     like to have it in just one place (to don't have redundancies and
>     inconsitencies).
>     - And I think you didn't understand the side-effect, I mean, why I
>     want to have the user password changes with user rights: the
>     possibility to disable password changes.
>     If you disable them under ADUC on Windows Server, then you will
>     notice that the security descriptor changes (on the ACE "Self" the
>     "password changes" are denied). And this will naturally be also
>     enforced on SAMR!
>     Therefore I would really appreciate it, if we could make an
>     exception in this case.
>     Matthias
>     Nadezhda Ivanova wrote:
>         Hi Matthias,
>         As I explained in my email regarding disabling anonymous
>         access, some researched showed that the ldap access checks we
>         currently have implemented in ldb must not be applied to other
>         protocols, as they are LDAP specific. This is explicitly
>         stated in the MS-SAMR document, actually. It would be similar
>         to applying file access checks on directory objects, quite a
>         mess. Therefore we should continue using system session for
>         the password reset in SAMR. In fact, after some discussion
>         with Tridge, I made all SAMR methods use the system session,
>         and enforce an access check for administrative rights before
>         the calls to ldb. The same will have to be done with other
>         protocols where we see problems. I'll be pushing this and
>         other things related to this problem in my branch today or
>         tomorrow and send them for discussion.  This means that you
>         will not need to handle the control in acl module.
>         Regards,
>         Nadya
>         On Mon, Aug 16, 2010 at 8:12 PM, Matthias Dieter Wallnöfer
>         <mdw at samba.org <mailto:mdw at samba.org> <mailto:mdw at samba.org
>         <mailto:mdw at samba.org>>> wrote:
>            Hi Nadya, metze, abartlet,
>            lately I restarted the effort to solve the s4 password
>         change ACL
>            problem and I come now up with a slightly different, but
>         cleaner
>            solution. The big difference now consists in the fact that the
>            control PASSWORD_CHANGE_PW_CHECKED has been renamed to
>            PASSWORD_CHANGE and does now also carry the old password as
>         a NT
>            hash and/or LM hash in the following way:
>            (samdb.h)
>                #define DSDB_CONTROL_PASSWORD_CHANGE_OID
>         ""
>                +struct dsdb_control_password_change {
>                +       const struct samr_Password *old_nt_pwd_hash;
>                +       const struct samr_Password *old_lm_pwd_hash;
>                +};
>                +
>            The password_hash module does then proof these. I hope that
>         this
>            will finally meet your concerns, Nadya.
>            The whole patchset is to be found under
>         http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/stuff or
>         http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=shortlog;h=refs/heads/stuff.
>            Matthias

More information about the samba-technical mailing list