12020 – Unable to enforce password history policy on password resets

Bug 12020 - Unable to enforce password history policy on password resets

Summary: Unable to enforce password history policy on password resets

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.4.4
Hardware:	All Linux

Importance:	P5 normal with 1 vote (vote)
Target Milestone:	---
Assignee:	Douglas Bagnall
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-07-13 21:15 UTC by mateusz
Modified:	2026-01-15 04:37 UTC (History)
CC List:	6 users (show)

See Also:	https://lists.samba.org/archive/samba/2024-August/249724.html https://lists.samba.org/archive/cifs-protocol/2025-September/004589.html https://lists.samba.org/archive/samba/2016-July/201203.html

Attachments
a work in progress patch for this (10.67 KB, patch) 2016-07-21 03:23 UTC, Andrew Bartlett	no flags	Details
patch for 4.22 and 4.23 (38.91 KB, patch) 2026-01-15 03:17 UTC, Douglas Bagnall	gary: review+ dbagnall: ci-passed+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mateusz 2016-07-13 21:15:28 UTC

We are using Samba as a user directory for our application. Passwords are
stored in unicodePwd attribute, and our application resets passwords
through LDAP (without the knowledge of the previous password, because it's
an email-based reset).

Unfortunately resetting it like this prevents the "password history" policy
enforcement. This is a security problem that will come up on the first
security audit.

Microsoft recognised this is a problem and in Windows 2008 R2 SP1
introduced a supportedControl on RootDSE:
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), later
LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables such
password history enforcement on LDAP password resets.

Garming has suggested a way to approach this here: https://lists.samba.org/archive/samba/2016-July/201208.html

Comment 1 Andrew Bartlett 2016-07-21 03:23:27 UTC

Created attachment 12283 [details]
a work in progress patch for this

This is a patch I knocked up for this.  It passes our own tests, but I've not tested against windows yet. 

We may choose not to implement the _DEPRICATED OID in the end.

It needs a tidy up regarding names etc, and to check the flags in the password_hash code.

Comment 2 Daniele Palumbo 2018-10-17 10:31:41 UTC

Hi,

Any comment on the patch?
Does this seems valuable?
Any plan to implement it?

Thank you very much,

Comment 3 Andrew Bartlett 2018-10-17 10:33:42 UTC

This turned out to be a bit more complex than we imagined, so it never made it in.

I can't remember the details, I expect it didn't actually pass our own tests.

Comment 4 Douglas Bagnall 2025-10-08 22:53:51 UTC

https://lists.samba.org/archive/samba/2024-August/249724.html notes that Keycloak uses this.

The Microsoft dochelp team are looking into the meaning of this for us in
https://lists.samba.org/archive/cifs-protocol/2025-September/004589.html

Comment 5 Samba QA Contact 2026-01-15 02:51:04 UTC

This bug was referenced in samba master:

49001e81589e8b5e4437b45f25622b07eecc95a5
b003beb85a648eae5bfe7e38362abd8d798e8f86
aff40feb3d749f019b1c96ba90342a10ae721a7f
d588c7969ee7586d2f76cb1a66b542c63fe7d154
0da540f4d8323fb78ba25bedec9fbef5dddd43bf
cdf2defdc573a01b8308dd1710a73bb2a4e088bb
e1188962aa9cec9ab6cf2f4ddaaf19dce858d2dd
04039fdd835690f636906fb58743ff6f91451de8

Comment 6 Douglas Bagnall 2026-01-15 03:17:40 UTC

Created attachment 18800 [details]
patch for 4.22 and 4.23