[PATCH] Password Locked Account Control
Andrew Bartlett
abartlet at samba.org
Sat Jul 13 17:42:01 GMT 2002
Patrick McCarty wrote:
>
> > Patrick McCarty wrote:
> >>
> >> Attached is a patch against HEAD that provides the 'P' option for
> >> acctFlags.
> >
> > Can you please verify that this is the correct bit to set? Rember, MS
> > defines them - so we should check. Ethereal should be able to show you.
>
> I 'borrowed' this bit from the Samba-TNG code, which used it there.
>
> I thought the ACB bits were just a bitmask, and used only internally to
> samba. Do they ever get sent to the client?
Yes - the client reads and sends them as a bitmask.
> >> I havent been able to test this yet, so use with care.
> >>
> >> Ideally, this would eventually set the "user cannot change password"
> >> bit to the client, but as Andrew mentioned, this hasnt been fully
> >> implemented, and I'm not clear as to where in the code that
> >> functionality should even be. (I am working on it however.)
> >>
> >> I plan on attempting to implement the pwdCanChange as well, as I
> >> believe I understand how that could be done.
> >
> > This patch is incorrect. The problem is that there are about 5
> > different ways you can change a password remotely.
>
> When I was playing with a much simpler patch which in the
> _samr_chgpasswd_user function simply returned NT_STATUS_ACCESS_DENIED,
> Windows XP at least from the change password dialog box would correctly
> report all password changes with a "You dont have access" type error
> message.
>
> Perhaps other clients send different RPCs?
There should be no other RPCs, but there are another 3 ways to change
your password via lanman.c
> I just quickly wrote the modifications to store the P flag per user,
> instead of just blanketly denying password changes to everyone.
>
> What other RPC call remotely changes passwords? What did I miss?
>
> > Basiclly, the code needs a general rewrite - at the very lest we need
> > the BOOLs converted to NTSTATUS.
> >
> > We don't really have a single 'choke point'. We need to get one, and to
> > do access control etc there.
> >
> > change_oem_password() is as close as we get, and thats called *after*
> > the unix password sync stuff. Sniff around the functions that call
> > that, and try to get the scope of the problem.
>
> I definately will. I'm still trying to get a feel for how a password
> change flows through the code -- But I thought I had it.
It is a complex beast.
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list