[Samba] LDAP Extended attributes and dsheuristics

Rowland Penny rpenny at samba.org
Fri Jun 2 08:43:34 UTC 2023

On 30/05/2023 20:04, Andrew Bartlett via samba wrote:
> On Tue, 2023-05-30 at 11:23 -0400, Ben Curtis via samba wrote:
>> Hi all,
>> I can only find posts about extended attributes from ~10 years ago,
>> so
>> I figured I'd ask this here. I get the following error when trying to
>> change passwords on my Samba 4.7 AD via LDAP:
>> ```
>> ldap_exop_passwd(): Passwd modify extended operation failed: Extended
>> Operation( not supported
>> ```
>> Is this feature ( still not supported?
> This feature has never been seen on Active Directory DCs, and Samba has
> not had a patch for this contributed.
> We would welcome such a feature, but note it would need to be quite
> carefully implemented and tested to ensure it honours all the
> appropriate ACLs.

I have finally had chance to further investigate this OID, which lead me 
to rfc 3062 which appears to date from 2001 and in its contents quite 
clearly states:

The operation itself does not provide any security protection to ensure 
integrity and/or confidentiality of the information.  Use of this 
operation is strongly discouraged when privacy protections are not in 
place to guarantee confidentiality and may result in the disclosure of 
the password to unauthorized parties.

I can find nothing that says that Microsoft uses this OID.

Bearing all this in mind, then if anyone proposes a patch to add this 
OID, when there are much more secure ways of changing a users password, 
I will not accept it.

I accept that Samba has to work with Unix, but not when it isn't safe.


More information about the samba mailing list