s4 password changes

Matthias Dieter Wallnöfer mdw at samba.org
Tue Aug 17 11:39:26 MDT 2010

Hi abartlet,

I switched back to a password change operation for the two NETLOGON RPCs 
and performed afterwards the merge.

I hope you are fine with this.


Andrew Bartlett wrote:
> On Tue, 2010-08-17 at 08:19 +0200, Stefan (metze) Metzmacher wrote:
>> Hi Nadya,
>>> Here is the wip branch:
>>> http://gitweb.samba.org/?p=nivanova/samba.git;a=shortlog;h=refs/heads/aclsearch
>>> I started by denying access to anonymous depending on dSHeuristics. The
>>> tests that I wrote to ensure this is correct are passing, but a lot of other
>>> things broke, such as samr tests, lsa, secure channel, ldb tests, because
>>> they were no longer able to read necessary data from the database. I will
>>> send more details later.
>> I have some comments regarding:
>> s4-samr: Adapted SAMR calls to use system session, with access check for
>> administrator
>> Please implement the SAMR access checks correct, by having an
>> allowed_access mask
>> on the policy handles, and then only check for the needed access bits in
>> each operation.
>> For now I'm fine if we give admins full access and others only read access,
>> but that should be decided at the time we create a policy handle and not
>> on each
>> operation.
> My comment is regarding the change to the NetLogon password/set change
> operations.  I don't like that something is changed 'because I can't see
> why abartlet did this'.
> I'm sorry if I don't include every detail in every commit message, but
> instead I suggest you ask me, with tests that show that this change is
> required.
> In this case, the password change code had been adjusted to seperate the
> concepts of 'password quality check must be passed' from 'this is a
> user-initiated password change'.  If you have proof that this is not
> considered a user-initiated password change, then please show me the
> tests.
> Thanks,

More information about the samba-technical mailing list