Extended request in kludge acl
Matthias Dieter Wallnöfer
mdw at samba.org
Thu Jul 8 00:12:28 MDT 2010
Hi abartlet,
I would also like to change the actual SAMR behaviour of password
changes in order that the users run the change operation which their own
rights (therefore I proposed also this "weird" ACL module patch -
http://repo.or.cz/w/Samba/mdw.git/commitdiff/1ff314f77b18addccbe09805f15ae386d64f35e4).
To get the old password we do still need SYSTEM rights but then we
immediately switch to a SAMDB with user credentials:
http://repo.or.cz/w/Samba/mdw.git/commitdiff/d62cffa561810804ee9173947196bc23f7ec2a0d
I hope you are fine with this since for example it allows us to
deactivate password changes (in AD this is done using these ACL
permission flags implemented by Nadya). If we do perform the change as
SYSTEM then this is never inherited.
Matthias
Andrew Bartlett wrote:
> For example, we may in future decide to change again the password change
> logic to remove the 'password already checked' control for SAMR password
> changes, and make it instead do an extended request with the full
> password change, and have password_hash validate it. (There is a
> similar extended operation I also want to support for OpenLDAP clients).
>
> Andrew Bartlett
>
>
More information about the samba-technical
mailing list