lanman pwd hash (Re: [SCM] Samba Shared Repository - branch master updated)
Stefan (metze) Metzmacher
metze at samba.org
Wed Jun 23 02:17:23 MDT 2010
Am 23.06.2010 09:08, schrieb Matthias Dieter Wallnöfer:
> Hi metze,
>
> I reject it when the lanman auth is deactivated. But otherwise it should
> be enabled (think at "dcesrv_samr_ChangeOemPassword2" which manipulates
> only the lanman hash - tested using the passwords torture test).
> Therefore it should also be valid to have only a "dBCSPwd" attribute in
> the DB (I read also the MS-SAMR documentation and this seems possible).
> But this patch prevents a change which would delete all password
> attributes - which is fatal.
I just noticed this:
- if (!lp_lanman_auth(lp_ctx)) {
- ldb_asprintf_errstring(ldb,
- "check_password_restrictions: "
- "The password change through the
LM hash is deactivated!");
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
and didn't realized that this check was implicitly readded by this:
+ /* refuse the change if someone tries to set/change the password by
+ * the lanman hash alone and we've deactivated that mechanism. This
+ * would end in an account without any password! */
+ if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
+ && (!io->n.nt_hash) && (!io->n.lm_hash)) {
+ ldb_asprintf_errstring(ldb,
+ "setup_io: "
+ "The password change/set operations performed
using the LAN Manager hash alone are deactivated!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100623/e3150e25/attachment.pgp>
More information about the samba-technical
mailing list