s4 password changes

Stefan (metze) Metzmacher metze at samba.org
Tue Aug 17 00:19:31 MDT 2010

Hi Nadya,

> Here is the wip branch:
> http://gitweb.samba.org/?p=nivanova/samba.git;a=shortlog;h=refs/heads/aclsearch
> I started by denying access to anonymous depending on dSHeuristics. The
> tests that I wrote to ensure this is correct are passing, but a lot of other
> things broke, such as samr tests, lsa, secure channel, ldb tests, because
> they were no longer able to read necessary data from the database. I will
> send more details later.

I have some comments regarding:
s4-samr: Adapted SAMR calls to use system session, with access check for

Please implement the SAMR access checks correct, by having an
allowed_access mask
on the policy handles, and then only check for the needed access bits in
each operation.

For now I'm fine if we give admins full access and others only read access,
but that should be decided at the time we create a policy handle and not
on each


> On Mon, Aug 16, 2010 at 8:47 PM, Nadezhda Ivanova <nivanova at samba.org>wrote:
>> Hi Matthias,
>> As I explained in my email regarding disabling anonymous access, some
>> researched showed that the ldap access checks we currently have implemented
>> in ldb must not be applied to other protocols, as they are LDAP specific.
>> This is explicitly stated in the MS-SAMR document, actually. It would be
>> similar to applying file access checks on directory objects, quite a mess.
>> Therefore we should continue using system session for the password reset in
>> SAMR. In fact, after some discussion with Tridge, I made all SAMR methods
>> use the system session, and enforce an access check for administrative
>> rights before the calls to ldb. The same will have to be done with other
>> protocols where we see problems. I'll be pushing this and other things
>> related to this problem in my branch today or tomorrow and send them for
>> discussion.  This means that you will not need to handle the control in acl
>> module.
>> Regards,
>> Nadya
>> On Mon, Aug 16, 2010 at 8:12 PM, Matthias Dieter Wallnöfer <mdw at samba.org>wrote:
>>> Hi Nadya, metze, abartlet,
>>> lately I restarted the effort to solve the s4 password change ACL problem
>>> and I come now up with a slightly different, but cleaner solution. The big
>>> difference now consists in the fact that the control
>>> PASSWORD_CHANGE_PW_CHECKED has been renamed to PASSWORD_CHANGE and does now
>>> also carry the old password as a NT hash and/or LM hash in the following
>>> way:
>>> (samdb.h)
>>>> +struct dsdb_control_password_change {
>>>> +       const struct samr_Password *old_nt_pwd_hash;
>>>> +       const struct samr_Password *old_lm_pwd_hash;
>>>> +};
>>>> +
>>> The password_hash module does then proof these. I hope that this will
>>> finally meet your concerns, Nadya.
>>> The whole patchset is to be found under
>>> http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/stuff or
>>> http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=shortlog;h=refs/heads/stuff
>>> .
>>> Matthias

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100817/8c8d2de7/attachment.pgp>

More information about the samba-technical mailing list