[PATCH] Register bypass control in password hashes ldb module

Samuel Cabrero scabrero at zentyal.com
Tue Jul 24 16:34:24 MDT 2012

El 21/07/12 00:59, Andrew Bartlett escribió:
> On Fri, 2012-07-20 at 07:28 -0700, Matthieu Patou wrote:
>> On 07/20/2012 03:13 AM, Samuel Cabrero wrote:
>>> Hi,
>>> let me introduce myself. My name is Samuel and I am a Zentyal developer,
>>> where we have been working to integrate samba4 in our Zentyal Server
>>> product.
>>> I submit a patch for your review and hope to have it included in master.
>>> The patch registers the DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID control in
>>> the password hashes LDB module to allow writing the kerberos keys in the
>>> samba4 LDAP.
>>> This patch is needed when you have your users stored in an external
>>> database and want to import them to samba after the provision. In our
>>> particular case the users are stored in openldap with the heimdal keys,
>>> so after provision we extract the hashes from the krb5Key attributes,
>>> generate the supplementalCredentials blob and the unicodePwd attribute
>>> and write them to the samba user entry registering this control to
>>> execute the LDAP modify request.
>> I'm not too pleased with this kind of control, potentially bad guys 
>> could use it for doing wrong things.
>> I understand your need but we can't make this control available over LDAP.
> Correct.  The lack of registration is also a security barrier, as
> otherwise an unprivileged user could bypass the restrictions on password
> modification.  We may need to make this clearer somewhere. 
>> Also did you had a look at the samba3upgrade of samba-tool domain ? I 
>> suspect it's doing things similar to what you want to acheive.
> Indeed, a far better approach is to extend the patches that Gémes Géza
> is creating to have the 'samba-tool domain classicupgrade' read the LDAP
> directory.  Then you can apply the same code you have to generate the
> supplementalCredentials blob (unicodePwd is already handled). 
> BTW, what language is your supplementalCredentials blob creation written
> in?  In the long term it may assist with another interesting approach I
> looked into (but have not implemented) was to allow Heimdal kadmin to
> create new user entries or update keys.  One of the larger challenges
> that stopped me working on that was the tedium of parsing the key
> structure into a valid supplementalCredentials blob.
> Thanks,
> Andrew Bartlett

Thanks for the suggestion, I'll look into it.

The implementation to generate the supplementalCredentials is written in
perl, you can have a look here

We have also written a LDB module to forward all the operations to a
unix socket encoded as JSON, it may be interesting for someone. We use
it to keep our openldap and the samba ldap in sync. The code is here


Samuel Cabrero - Developer
scabrero at zentyal.com

The Linux small business server

More information about the samba-technical mailing list