Hi metze,
I reject it when the lanman auth is deactivated. But otherwise it should
be enabled (think at "dcesrv_samr_ChangeOemPassword2" which manipulates
only the lanman hash - tested using the passwords torture test).
Therefore it should also be valid to have only a "dBCSPwd" attribute in
the DB (I read also the MS-SAMR documentation and this seems possible).
But this patch prevents a change which would delete all password
attributes - which is fatal.
This work is still not complete since there are some outstanding
differences in beaviour s4 <-> torture SAMR passwords.
Matthias
Stefan (metze) Metzmacher wrote:
Hi Matthias,
commit 0e637be43b584aef9f5101d15ae5bdc1172c5502
Author: Matthias Dieter Wallnöfer<[email protected]>
Date: Mon Jun 21 19:40:50 2010 +0200
s4:password_hash LDB module - fix another problem regarding the lanman hash
When a user only provides only the lanman hash (and nothing else) and the
lanman authentication is deactivated then we end in an account with no
password attribute at all! Lock this down.
I think the correct behavior is to reject the password change in that case.
metze
