Extended request in kludge acl
Matthias Dieter Wallnöfer
mdw at samba.org
Thu Jul 8 01:20:38 MDT 2010
Andrew,
Andrew Bartlett wrote:
> On Thu, 2010-07-08 at 08:12 +0200, Matthias Dieter Wallnöfer wrote:
>
> The approach you suggest would also work, but would not have as strict a
> control over the transaction, as you would not be in the transaction
> when the old pw was checked. (I'm not sure this matters in practice,
> given you could have the same race on multiple DCs anyway).
>
Well, we have only one search/read request and then one modify one. I
think it should be safe to split them up in two distinct transactions
since the latter one (mainly the code in "password_hash" module) has to
be performed in an atomic manner.
> Like the AS_SYSTEM control, this control is a little dangerous, and
> would have to be carefully restricted. Please ensure the kpasswd
> password change code handles this too.
>
The control is strictly private. You cannot set it over the LDAP
protocol. But anyway I'm fine to rechange the code when we do support
extended operations ACLs. The kpasswd patch does naturally also exist -
it's here:
http://repo.or.cz/w/Samba/mdw.git/commitdiff/11f24a9a72d4c47359662ee5ba63433ac11e4b2c.
The code was tested manually and by "make test" and it does work. I hope
you are fine about pushing it.
Matthias
More information about the samba-technical
mailing list