[Samba] Enforcing password history policy on password resets

Garming Sam garming at catalyst.net.nz
Wed Jul 13 01:48:57 UTC 2016


In password_hash.c, the function check_password_restrictions sounds like
the one you want to interrupt.

        if (io->ac->pwd_reset) {
                return LDB_SUCCESS;

Just guessing, this is probably the codepath you're triggering causing
you to skip the password history.

ldb_request_get_control(req, <OID>)

You'd have to change the code to check if that particular control is
there, and if so, don't return yet. You'd also have to make sure that
you're only including the history checks and nothing else.



On 13/07/16 10:14, Mateusz Uzdowski wrote:
> Hi there,
> We are using Samba as a user directory for our application. Passwords are
> stored in unicodePwd attribute, and our application resets passwords
> through LDAP (without the knowledge of the previous password, because it's
> an email-based reset).
> Unfortunately resetting it like this prevents the "password history" policy
> enforcement. This is a security problem that will come up on the first
> security audit.
> Microsoft recognised this is a problem and in Windows 2008 R2 SP1
> introduced a supportedControl on RootDSE:
> LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), later
> LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables such
> password history enforcement on LDAP password resets.
> I've been trawling the internet and Samba source code looking for a way to
> achieve the same thing, to no avail.
> Does anyone have any suggestions on how to get password history to be
> enforced on password resets?
> Many thanks,
> Mateusz

More information about the samba mailing list