s4 password changes

Andrew Bartlett abartlet at samba.org
Tue Aug 17 05:33:11 MDT 2010


On Tue, 2010-08-17 at 08:19 +0200, Stefan (metze) Metzmacher wrote:
> Hi Nadya,
> 
> > Here is the wip branch:
> > http://gitweb.samba.org/?p=nivanova/samba.git;a=shortlog;h=refs/heads/aclsearch
> > 
> > I started by denying access to anonymous depending on dSHeuristics. The
> > tests that I wrote to ensure this is correct are passing, but a lot of other
> > things broke, such as samr tests, lsa, secure channel, ldb tests, because
> > they were no longer able to read necessary data from the database. I will
> > send more details later.
> 
> I have some comments regarding:
> s4-samr: Adapted SAMR calls to use system session, with access check for
> administrator
> 
> Please implement the SAMR access checks correct, by having an
> allowed_access mask
> on the policy handles, and then only check for the needed access bits in
> each operation.
> 
> For now I'm fine if we give admins full access and others only read access,
> but that should be decided at the time we create a policy handle and not
> on each
> operation.

My comment is regarding the change to the NetLogon password/set change
operations.  I don't like that something is changed 'because I can't see
why abartlet did this'.  

I'm sorry if I don't include every detail in every commit message, but
instead I suggest you ask me, with tests that show that this change is
required.

In this case, the password change code had been adjusted to seperate the
concepts of 'password quality check must be passed' from 'this is a
user-initiated password change'.  If you have proof that this is not
considered a user-initiated password change, then please show me the
tests.

Thanks,

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100817/ef662295/attachment.pgp>


More information about the samba-technical mailing list