lanman pwd hash (Re: [SCM] Samba Shared Repository - branch master updated)

Matthias Dieter Wallnöfer mdw at
Wed Jun 23 01:08:21 MDT 2010

Hi metze,

I reject it when the lanman auth is deactivated. But otherwise it should 
be enabled (think at "dcesrv_samr_ChangeOemPassword2" which manipulates 
only the lanman hash - tested using the passwords torture test). 
Therefore it should also be valid to have only a "dBCSPwd" attribute in 
the DB (I read also the MS-SAMR documentation and this seems possible). 
But this patch prevents a change which would delete all password 
attributes - which is fatal.

This work is still not complete since there are some outstanding 
differences in beaviour s4 <-> torture SAMR passwords.


Stefan (metze) Metzmacher wrote:
> Hi Matthias,
>> commit 0e637be43b584aef9f5101d15ae5bdc1172c5502
>> Author: Matthias Dieter Wallnöfer<mdw at>
>> Date:   Mon Jun 21 19:40:50 2010 +0200
>>      s4:password_hash LDB module - fix another problem regarding the lanman hash
>>      When a user only provides only the lanman hash (and nothing else) and the
>>      lanman authentication is deactivated then we end in an account with no
>>      password attribute at all! Lock this down.
> I think the correct behavior is to reject the password change in that case.
> metze

More information about the samba-technical mailing list