On Thu, Apr 3, 2008 at 8:17 PM, Ryan Steele rsteele@archer-group.com wrote:
Howard and others,
Let me ask two theoretical questions, before I submit my comments below. Windows XP/2000/et. al. send their passwords via SMB hashed.
For authentication (broadly speaking, as AFAIK a challenge and response is sent, I don't think the hashes are sent directly over the wire) yes, for password changes, no.
So, without configuring those workstations to send the passwords plaintext over the wire, is there any way for ppolicy to act on the ldapmodify initiated by Samba from Windows clients attempting to change their passwords?
Samba can already generate different (incompatible) hashes, or run the password program, so it must have the clear text at this point. Whether it supplies the clear text to OpenLDAP or not is the issue (and I haven't had time to check myself yet, and can't remember off-hand). If it does not, it would be worthwhile requesting an option enabling this (or, support for changing with an ldap password change extended operation). I note that Heimdal would benefit from a similar option as well (which I will take up on the Heimdal list).
Furthermore, if the above change is made so that ppolicy can evaluate the plaintext password, what exactly will the interaction between LDAP and the clients be if it fails to clear ppolicy constraints?
slapd will fail the operation, with a suitable error code and error text. Whether samba will send a useful error to the client (so that the client workstation displays an appropriate error message) is the next question.
The third question is, what will happen to the samba password expiry attributes, for both the case of changing via samba (should be fine) and changing via ldap (won't be updated, samba passwords will still appear to be expired). I also haven't had a chance to look at fixing that (and again, the Heimdal equivalent also applies).
Regards, Buchan