Extended request in kludge acl

Matthias Dieter Wallnöfer mdw at samba.org
Thu Jul 8 01:45:22 MDT 2010

Could we discuss this on IRC with Andrew?


Nadezhda Ivanova wrote:
> Hi Matthias,
> I thought some more about the patch and I have missed something very 
> important.
> This patch makes it so given the control we actually execute a reset 
> operation with the permissions of a change operation. However, every 
> user account actually is given permission to change every other 
> accoun't password. There is an ACE that comes from the defaultSd that 
> gives this right to EVERYONE. The only thing that we count on after 
> that is that the user knows the correct old password to verify 
> identity. With the replace its different, permission has to be 
> granted. So what you are proposing is to essentially allow everyone to 
> reset a user's password with samr, which worries me A LOT. Maybe there 
> is something I am missing on the samr side.
> Sorry I did not think of this earlier...
> Regards,
> Nadya
> On Thu, Jul 8, 2010 at 10:20 AM, Matthias Dieter Wallnöfer 
> <mdw at samba.org <mailto:mdw at samba.org>> wrote:
>     Andrew,
>     Andrew Bartlett wrote:
>         On Thu, 2010-07-08 at 08:12 +0200, Matthias Dieter Wallnöfer
>         wrote:
>           The approach you suggest would also work, but would not have
>         as strict a
>         control over the transaction, as you would not be in the
>         transaction
>         when the old pw was checked.   (I'm not sure this matters in
>         practice,
>         given you could have the same race on multiple DCs anyway).
>     Well, we have only one search/read request and then one modify
>     one. I think it should be safe to split them up in two distinct
>     transactions since the latter one (mainly the code in
>     "password_hash" module) has to be performed in an atomic manner.
>         Like the AS_SYSTEM control, this control is a little
>         dangerous, and
>         would have to be carefully restricted.  Please ensure the kpasswd
>         password change code handles this too.
>     The control is strictly private. You cannot set it over the LDAP
>     protocol. But anyway I'm fine to rechange the code when we do
>     support extended operations ACLs. The kpasswd patch does naturally
>     also exist - it's here:
>     http://repo.or.cz/w/Samba/mdw.git/commitdiff/11f24a9a72d4c47359662ee5ba63433ac11e4b2c.
>     The code was tested manually and by "make test" and it does work.
>     I hope you are fine about pushing it.
>     Matthias

More information about the samba-technical mailing list