3.1.1.7.1
General Password Policy
This policy is referenced from the dbcsPwd and unicodePwd triggers.
The following constraints MUST be satisfied; on error, the server MUST return a
processing error. For more information on error codes, see section 3.1.5.
1. Minimum Password Length Constraint: If all of the following conditions
are true, the following constraint MUST be satisfied:
1. Conditions:
1. The userAccountControl attribute value contains
UF_NORMAL_ACCOUNT.
2. The objectSid attribute value does not have the
DOMAIN_USER_RID_KRBTGT value as the RID.
3. The userAccountControl attribute value does NOT contain
UF_PASSWD_NOTREQD.
4. The Effective-MinimumPasswordLength attribute value
(see section 3.1.1.5) is greater than 0.
5. The requesting protocol message is a password change
(as compared to a password set).
2. Constraint:
At least one of dbcsPwd or unicodePwd MUST be nonzero-length
and equal to a value other than the hash of a zero-length string.
2. Minimum Password Age Constraint: If all of the following conditions are
true, the following constraint MUST be satisfied:
1. Conditions:
1. The userAccountControl attribute contains
UF_NORMAL_ACCOUNT.
2. At least one of the dbcsPwd or unicodePwd attribute
values is present and not equal to a hash value of a zero-length string.
2. Constraint:
The pwdLastSet attribute MUST be less than the current time
plus the value of the Effective-MinimumPasswordAge attribute (see section
3.1.1.5).
3. Password History Length Constraint: If all of the following conditions
are true, the following constraints MUST be satisfied:
1. Conditions:
1. The userAccountControl attribute contains
UF_NORMAL_ACCOUNT.
2. objectSid does not have the DOMAIN_USER_RID_KRBTGT
value as the RID.
3. userAccountControl does NOT contain UF_PASSWD_NOTREQD.
4. minPwdHistory on the account domain object is greater
than 0.
5. The requesting protocol message is a password change
(as compared to a password set).
2. Constraints:
1. If the unicodePwd attribute is being updated, the value
of the unicodePwd MUST NOT be present in the first N hashes stored in the
ntPwdHistory attribute value, where N is the value of the
Effective-PasswordHistoryLength attribute (see section 3.1.1.5). For details on
how ntPwdHistory is maintained, see section 3.1.1.9.1.
If the dbcsPwd attribute is being updated, the value of the dbcsPwd MUST NOT be
present in the first N hashes stored in the lmPwdHistory attribute value, where
N is the value of the Effective-PasswordHistoryLength attribute (see section
3.1.1.5). For details on how lmPwdHistory is maintained, see section 3.1.1.9.1
Please let me know if I can be of further help.
Thanks!
Sebastian Canevari
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: [EMAIL PROTECTED]
We're hiring
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Bartlett
Sent: Thursday, September 04, 2008 10:13 PM
To: Interoperability Documentation Help
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [cifs-protocol] Meaning of ACB_PWNOTREQ / UF_PASSWD_NOTREQD
In Samba4, we map the userAccountControl flag UF_PASSWD_NOTREQD to the SAMR
flag ACB_PWNOTREQ, and we use this to indicate 'no password (or any
password) required for this account'.
That is, when this flag is set, and NULL passwords are permitted (as a global
setting 'null passwords = yes' in the smb.conf), we allow any password to
operate/log in to the marked account.
However, I'm not sure if this is the meaning Microsoft assigns to this flag.
Could you please clarify AD's behaviour in the situation where this flag is set
on an user account?
If this is not the correct way to handle 'no password required for logon', Is
there another way to indicate this?
Thanks,
(I want to get this right, or else migrations from Windows domains might open a
security hole)
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
