The Samba-Bugzilla – Bug 12020
Unable to enforce password history policy on password resets
Last modified: 2018-10-17 10:33:42 UTC
We are using Samba as a user directory for our application. Passwords are
stored in unicodePwd attribute, and our application resets passwords
through LDAP (without the knowledge of the previous password, because it's
an email-based reset).
Unfortunately resetting it like this prevents the "password history" policy
enforcement. This is a security problem that will come up on the first
Microsoft recognised this is a problem and in Windows 2008 R2 SP1
introduced a supportedControl on RootDSE:
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.1135220.127.116.116), later
LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113518.104.22.1689), which enables such
password history enforcement on LDAP password resets.
Garming has suggested a way to approach this here: https://lists.samba.org/archive/samba/2016-July/201208.html
Created attachment 12283 [details]
a work in progress patch for this
This is a patch I knocked up for this. It passes our own tests, but I've not tested against windows yet.
We may choose not to implement the _DEPRICATED OID in the end.
It needs a tidy up regarding names etc, and to check the flags in the password_hash code.
Any comment on the patch?
Does this seems valuable?
Any plan to implement it?
Thank you very much,
This turned out to be a bit more complex than we imagined, so it never made it in.
I can't remember the details, I expect it didn't actually pass our own tests.