[s4] Passwords work
Stefan (metze) Metzmacher
metze at samba.org
Mon Dec 21 10:26:29 MST 2009
Matthias Dieter Wallnöfer schrieb:
> Hi Andrew,
>
> Andrew Bartlett wrote:
>> - unicodePwd - we need to get rid of the 'autodetection' between
>> "password" and 16 byte hash value. This I think should be replaced with
>> a control indicating 'hash values being set' (which scripts such as the
>> upgradeprovision and parts of the SAMR password change code could then
>> set).
>>
> I would keep this at it is! Since first the more controls we have, the
> more complicated a task is in my eyes. And a very important second
> point: We need to keep compatibility with Windows Server ADs: They allow
> both password types (hash or cleartext) exactly through this attribute
> (consider the MS-ADTS guide). And that also from an external point of
> view - so not only internally! Therefore certain sysadmins/users could
> script or have scripted password changes using this attribute
> (especially before Windows Server 2003 domain mode this has been the
> only change possibility over LDAP I think)!
Do we have tests for all combinations?
There're also a difference between password set and password change...
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091221/f38dd8b1/attachment.pgp>
More information about the samba-technical
mailing list