Extended request in kludge acl

Matthias Dieter Wallnöfer mdw at samba.org
Thu Jul 8 01:20:38 MDT 2010


Andrew Bartlett wrote:
> On Thu, 2010-07-08 at 08:12 +0200, Matthias Dieter Wallnöfer wrote:
> The approach you suggest would also work, but would not have as strict a
> control over the transaction, as you would not be in the transaction
> when the old pw was checked.   (I'm not sure this matters in practice,
> given you could have the same race on multiple DCs anyway).
Well, we have only one search/read request and then one modify one. I 
think it should be safe to split them up in two distinct transactions 
since the latter one (mainly the code in "password_hash" module) has to 
be performed in an atomic manner.
> Like the AS_SYSTEM control, this control is a little dangerous, and
> would have to be carefully restricted.  Please ensure the kpasswd
> password change code handles this too.
The control is strictly private. You cannot set it over the LDAP 
protocol. But anyway I'm fine to rechange the code when we do support 
extended operations ACLs. The kpasswd patch does naturally also exist - 
it's here: 

The code was tested manually and by "make test" and it does work. I hope 
you are fine about pushing it.


More information about the samba-technical mailing list