lanman pwd hash (Re: [SCM] Samba Shared Repository - branch master updated)
Matthias Dieter Wallnöfer
mdw at samba.org
Wed Jun 23 01:08:21 MDT 2010
I reject it when the lanman auth is deactivated. But otherwise it should
be enabled (think at "dcesrv_samr_ChangeOemPassword2" which manipulates
only the lanman hash - tested using the passwords torture test).
Therefore it should also be valid to have only a "dBCSPwd" attribute in
the DB (I read also the MS-SAMR documentation and this seems possible).
But this patch prevents a change which would delete all password
attributes - which is fatal.
This work is still not complete since there are some outstanding
differences in beaviour s4 <-> torture SAMR passwords.
Stefan (metze) Metzmacher wrote:
> Hi Matthias,
>> commit 0e637be43b584aef9f5101d15ae5bdc1172c5502
>> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
>> Date: Mon Jun 21 19:40:50 2010 +0200
>> s4:password_hash LDB module - fix another problem regarding the lanman hash
>> When a user only provides only the lanman hash (and nothing else) and the
>> lanman authentication is deactivated then we end in an account with no
>> password attribute at all! Lock this down.
> I think the correct behavior is to reject the password change in that case.
More information about the samba-technical