Bug 12020 - Unable to enforce password history policy on password resets
Summary: Unable to enforce password history policy on password resets
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.4.4
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-07-13 21:15 UTC by mateusz
Modified: 2020-10-07 11:32 UTC (History)
4 users (show)

See Also:

a work in progress patch for this (10.67 KB, patch)
2016-07-21 03:23 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mateusz 2016-07-13 21:15:28 UTC
We are using Samba as a user directory for our application. Passwords are
stored in unicodePwd attribute, and our application resets passwords
through LDAP (without the knowledge of the previous password, because it's
an email-based reset).

Unfortunately resetting it like this prevents the "password history" policy
enforcement. This is a security problem that will come up on the first
security audit.

Microsoft recognised this is a problem and in Windows 2008 R2 SP1
introduced a supportedControl on RootDSE:
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), later
LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables such
password history enforcement on LDAP password resets.

Garming has suggested a way to approach this here: https://lists.samba.org/archive/samba/2016-July/201208.html
Comment 1 Andrew Bartlett 2016-07-21 03:23:27 UTC
Created attachment 12283 [details]
a work in progress patch for this

This is a patch I knocked up for this.  It passes our own tests, but I've not tested against windows yet. 

We may choose not to implement the _DEPRICATED OID in the end.

It needs a tidy up regarding names etc, and to check the flags in the password_hash code.
Comment 2 Daniele Palumbo 2018-10-17 10:31:41 UTC

Any comment on the patch?
Does this seems valuable?
Any plan to implement it?

Thank you very much,
Comment 3 Andrew Bartlett 2018-10-17 10:33:42 UTC
This turned out to be a bit more complex than we imagined, so it never made it in.

I can't remember the details, I expect it didn't actually pass our own tests.