[PATCH] Register bypass control in password hashes ldb module

Andrew Bartlett abartlet at samba.org
Fri Jul 20 16:59:33 MDT 2012

On Fri, 2012-07-20 at 07:28 -0700, Matthieu Patou wrote:
> On 07/20/2012 03:13 AM, Samuel Cabrero wrote:
> > Hi,
> >
> > let me introduce myself. My name is Samuel and I am a Zentyal developer,
> > where we have been working to integrate samba4 in our Zentyal Server
> > product.
> >
> > I submit a patch for your review and hope to have it included in master.
> > The patch registers the DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID control in
> > the password hashes LDB module to allow writing the kerberos keys in the
> > samba4 LDAP.
> >
> > This patch is needed when you have your users stored in an external
> > database and want to import them to samba after the provision. In our
> > particular case the users are stored in openldap with the heimdal keys,
> > so after provision we extract the hashes from the krb5Key attributes,
> > generate the supplementalCredentials blob and the unicodePwd attribute
> > and write them to the samba user entry registering this control to
> > execute the LDAP modify request.
> I'm not too pleased with this kind of control, potentially bad guys 
> could use it for doing wrong things.
> I understand your need but we can't make this control available over LDAP.

Correct.  The lack of registration is also a security barrier, as
otherwise an unprivileged user could bypass the restrictions on password
modification.  We may need to make this clearer somewhere. 

> Also did you had a look at the samba3upgrade of samba-tool domain ? I 
> suspect it's doing things similar to what you want to acheive.

Indeed, a far better approach is to extend the patches that Gémes Géza
is creating to have the 'samba-tool domain classicupgrade' read the LDAP
directory.  Then you can apply the same code you have to generate the
supplementalCredentials blob (unicodePwd is already handled). 

BTW, what language is your supplementalCredentials blob creation written
in?  In the long term it may assist with another interesting approach I
looked into (but have not implemented) was to allow Heimdal kadmin to
create new user entries or update keys.  One of the larger challenges
that stopped me working on that was the tedium of parsing the key
structure into a valid supplementalCredentials blob.


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list