Extended request in kludge acl
abartlet at samba.org
Thu Jul 8 00:44:04 MDT 2010
On Thu, 2010-07-08 at 08:12 +0200, Matthias Dieter Wallnöfer wrote:
> Hi abartlet,
> I would also like to change the actual SAMR behaviour of password
> changes in order that the users run the change operation which their own
> rights (therefore I proposed also this "weird" ACL module patch -
> To get the old password we do still need SYSTEM rights but then we
> immediately switch to a SAMDB with user credentials:
> I hope you are fine with this since for example it allows us to
> deactivate password changes (in AD this is done using these ACL
> permission flags implemented by Nadya). If we do perform the change as
> SYSTEM then this is never inherited.
What I was proposing is an extended operation that would do the password
change, and be tested against the ACL, and then changed if correct.
The approach you suggest would also work, but would not have as strict a
control over the transaction, as you would not be in the transaction
when the old pw was checked. (I'm not sure this matters in practice,
given you could have the same race on multiple DCs anyway).
Like the AS_SYSTEM control, this control is a little dangerous, and
would have to be carefully restricted. Please ensure the kpasswd
password change code handles this too.
Anyway, this is a worthy goal, I'm just cautious about ensuring we get
the implementation right.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 190 bytes
Desc: This is a digitally signed message part
More information about the samba-technical