Extended request in kludge acl

Matthias Dieter Wallnöfer mdw at samba.org
Thu Jul 8 00:12:28 MDT 2010

Hi abartlet,

I would also like to change the actual SAMR behaviour of password 
changes in order that the users run the change operation which their own 
rights (therefore I proposed also this "weird" ACL module patch - 
To get the old password we do still need SYSTEM rights but then we 
immediately switch to a SAMDB with user credentials: 

I hope you are fine with this since for example it allows us to 
deactivate password changes (in AD this is done using these ACL 
permission flags implemented by Nadya). If we do perform the change as 
SYSTEM then this is never inherited.


Andrew Bartlett wrote:
> For example, we may in future decide to change again the password change
> logic to remove the 'password already checked' control for SAMR password
> changes, and make it instead do an extended request with the full
> password change, and have password_hash validate it.  (There is a
> similar extended operation I also want to support for OpenLDAP clients).
> Andrew Bartlett

More information about the samba-technical mailing list