[Patch] myldap-pub.py

Matthias Dieter Wallnöfer mdw at samba.org
Thu Aug 19 23:55:06 MDT 2010 

Lukasz,

Lukasz Zalewski wrote:
> Hi Matthias
> On 8/19/2010 7:12 PM, Matthias Dieter Wallnöfer wrote:
>> Hi Lukasz,
>>
>> Lukasz Zalewski wrote:
>>> I have noticed that when NTpassword is missing the new unicodePwd
>>> element is set to None. However the account is not disabled, but it
>>> does not have the empty password either. So does ldbadd process
>>> generate some random password value if that attribute is missing?
>>> Should the account be disabled during the import if password
>>> information is missing?
>> do you speak from s4 or s3? On s4 I've implemented some restriction that
>> you can't end without a password on a password set or change. Code taken
>> from "password_hash.c":
>>> 1901 /* refuse the change if someone tries to set/change the 
>>> password by
>>> 1902 * the lanman hash alone and we've deactivated that mechanism. This
>>> 1903 * would end in an account without any password! */
>>> 1904 if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
>>> 1905 && (!io->n.nt_hash) && (!io->n.lm_hash)) {
>>> 1906 ldb_asprintf_errstring(ldb,
>>> 1907 "setup_io: "
>>> 1908 "The password change/set operations performed using the LAN
>>> Manager hash alone are deactivated!");
>>> 1909 return LDB_ERR_UNWILLING_TO_PERFORM;
>>> 1910 }
>> If you have the lanman auth mechanism active and you provide only the
>> lanman hash you are fine without restriction.
> The ldif was extracted from s3 (using myldap-pub.py) and imported into 
> s4 using (according to metze's recepie):
> $targetdir/bin/ldbadd -H $targetdir/private/sam.ldb --nosync --verbose 
> --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0 
> --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 myldif.ldif
>
> The account information included in the ldif did not contain either LM 
> or NT password and it was successfully imported into s4 (it did 
> contain a foregin domain sid, but i suspect that should not have any 
> impact).
Yes - but this is possible. You can import an account without any 
password set - it is the same as if you create an account over LDAP 
using the "user" objectClass and don't fill in any password attributes. 
You are not allowed to do anything with it unless you specify a password 
using an administrative password set mechanism.
Exports and imports using password attributes are normally only possible 
using plaintext passwords on s4 - unless you use metze's new mechanism 
for skipping the "password_hash" module. Ask him if you prefer that one.

Matthias

More information about the samba-technical mailing list