Am 23.06.2010 09:08, schrieb Matthias Dieter Wallnöfer: > Hi metze, > > I reject it when the lanman auth is deactivated. But otherwise it should > be enabled (think at "dcesrv_samr_ChangeOemPassword2" which manipulates > only the lanman hash - tested using the passwords torture test). > Therefore it should also be valid to have only a "dBCSPwd" attribute in > the DB (I read also the MS-SAMR documentation and this seems possible). > But this patch prevents a change which would delete all password > attributes - which is fatal.
I just noticed this:
- if (!lp_lanman_auth(lp_ctx)) {
- ldb_asprintf_errstring(ldb,
- "check_password_restrictions: "
- "The password change through the
LM hash is deactivated!");
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
and didn't realized that this check was implicitly readded by this:
+ /* refuse the change if someone tries to set/change the password by
+ * the lanman hash alone and we've deactivated that mechanism. This
+ * would end in an account without any password! */
+ if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
+ && (!io->n.nt_hash) && (!io->n.lm_hash)) {
+ ldb_asprintf_errstring(ldb,
+ "setup_io: "
+ "The password change/set operations performed
using the LAN Manager hash alone are deactivated!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
metze
signature.asc
Description: OpenPGP digital signature
