[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: smbk5pwd and ppolicy working together

On Thu, Apr 3, 2008 at 8:17 PM, Ryan Steele <rsteele@archer-group.com> wrote:
> Howard and others,
>  Let me ask two theoretical questions, before I submit my comments
>  below.  Windows XP/2000/et. al. send their passwords via SMB hashed.

For authentication (broadly speaking, as AFAIK a challenge and
response is sent, I don't think the hashes are sent directly over the
wire) yes, for password changes, no.

>  So, without configuring those workstations to send the passwords
>  plaintext over the wire, is there any way for ppolicy to act on the
>  ldapmodify initiated by Samba from Windows clients attempting to change
>  their passwords?

Samba can already generate different (incompatible) hashes, or run the
password program, so it must have the clear text at this point.
Whether it supplies the clear text to OpenLDAP or not is the issue
(and I haven't had time to check myself yet, and can't remember
off-hand). If it does not, it would be worthwhile requesting an option
enabling this (or, support for changing with an ldap password change
extended operation). I note that Heimdal would benefit from a similar
option as well (which I will take up on the Heimdal list).

>  Furthermore, if the above change is made so that ppolicy can evaluate
>  the plaintext password, what exactly will the interaction between LDAP
>  and the clients be if it fails to clear ppolicy constraints?

slapd will fail the operation, with a suitable error code and error
text. Whether samba will send a useful error to the client (so that
the client workstation displays an appropriate error message) is the
next question.

The third question is, what will happen to the samba password expiry
attributes, for both the case of changing via samba (should be fine)
and changing via ldap (won't be updated, samba passwords will still
appear to be expired). I also haven't had a chance to look at fixing
that (and again, the Heimdal equivalent also applies).