[PATCH] allow passdb backend to change trusted domain object password with clear text
Jeremy Allison
jra at samba.org
Fri Apr 7 19:12:31 UTC 2017
On Thu, Apr 06, 2017 at 06:46:06PM +0300, Alexander Bokovoy via samba-technical wrote:
> Hi,
>
> attached patch switches _netr_ServerPasswordSet2 to use SetUserInfo2
> info level 26. This allows us to pass through clear text password change
> down to passdb backend. This is critical for AD-like configurations
> (FreeIPA) where it is not enough to change NT or LM hashes for TDO, as
> one needs to generate Kerberos keys as well.
>
> I'm working on a corresponding change in FreeIPA ipasam module as well.
> It currently does not provide pdb_update_sam_account() callback so end
> result is still NT_STATUS_NOT_IMPLEMENTED as can be witnessed with
> 'nltest /sc_change_pwd:ipa.domain' but we are getting closer.
> + const char *account_name,
> + DATA_BLOB *plain_text)
> +{
> + NTSTATUS status;
> + NTSTATUS result = NT_STATUS_OK;
> + struct dcerpc_binding_handle *h = NULL;
> + struct tsocket_address *local;
> + struct policy_handle user_handle;
> + uint32_t acct_ctrl;
> + union samr_UserInfo *info;
> + struct samr_UserInfo26 info26;
> + int rc;
> + DATA_BLOB session_key;
> +
> + ZERO_STRUCT(user_handle);
> +
> + status = session_extract_session_key(session_info,
> + &session_key,
> + KEY_USE_16BYTES);
> + if (!NT_STATUS_IS_OK(status)) {
> + goto out;
> + }
> +
> + rc = tsocket_address_inet_from_strings(mem_ctx,
> + "ip",
> + "127.0.0.1",
> + 0,
> + &local);
Alexander - is the above going to work on an IPv6-only
box ?
Can you test that please.
Thanks,
Jeremy.
More information about the samba-technical
mailing list