lanman pwd hash (Re: [SCM] Samba Shared Repository - branch master updated)

Stefan (metze) Metzmacher metze at samba.org
Wed Jun 23 02:17:23 MDT 2010


Am 23.06.2010 09:08, schrieb Matthias Dieter Wallnöfer:
> Hi metze,
> 
> I reject it when the lanman auth is deactivated. But otherwise it should
> be enabled (think at "dcesrv_samr_ChangeOemPassword2" which manipulates
> only the lanman hash - tested using the passwords torture test).
> Therefore it should also be valid to have only a "dBCSPwd" attribute in
> the DB (I read also the MS-SAMR documentation and this seems possible).
> But this patch prevents a change which would delete all password
> attributes - which is fatal.

I just noticed this:

-                       if (!lp_lanman_auth(lp_ctx)) {
-                               ldb_asprintf_errstring(ldb,
-                                       "check_password_restrictions: "
-                                       "The password change through the
LM hash is deactivated!");
-                               return LDB_ERR_UNWILLING_TO_PERFORM;
-                       }

and didn't realized that this check was implicitly readded by this:

+       /* refuse the change if someone tries to set/change the password by
+        * the lanman hash alone and we've deactivated that mechanism. This
+        * would end in an account without any password! */
+       if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
+           && (!io->n.nt_hash) && (!io->n.lm_hash)) {
+               ldb_asprintf_errstring(ldb,
+                       "setup_io: "
+                       "The password change/set operations performed
using the LAN Manager hash alone are deactivated!");
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
+

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100623/e3150e25/attachment.pgp>


More information about the samba-technical mailing list