Am 23.06.2010 09:08, schrieb Matthias Dieter Wallnöfer: > Hi metze, > > I reject it when the lanman auth is deactivated. But otherwise it should > be enabled (think at "dcesrv_samr_ChangeOemPassword2" which manipulates > only the lanman hash - tested using the passwords torture test). > Therefore it should also be valid to have only a "dBCSPwd" attribute in > the DB (I read also the MS-SAMR documentation and this seems possible). > But this patch prevents a change which would delete all password > attributes - which is fatal.
I just noticed this: - if (!lp_lanman_auth(lp_ctx)) { - ldb_asprintf_errstring(ldb, - "check_password_restrictions: " - "The password change through the LM hash is deactivated!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } and didn't realized that this check was implicitly readded by this: + /* refuse the change if someone tries to set/change the password by + * the lanman hash alone and we've deactivated that mechanism. This + * would end in an account without any password! */ + if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16) + && (!io->n.nt_hash) && (!io->n.lm_hash)) { + ldb_asprintf_errstring(ldb, + "setup_io: " + "The password change/set operations performed using the LAN Manager hash alone are deactivated!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + metze
signature.asc
Description: OpenPGP digital signature