Bug 12020 - Unable to enforce password history policy on password resets
Unable to enforce password history policy on password resets
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
All Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-07-13 21:15 UTC by mateusz
Modified: 2016-07-21 03:23 UTC (History)
2 users (show)

See Also:

a work in progress patch for this (10.67 KB, patch)
2016-07-21 03:23 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description mateusz 2016-07-13 21:15:28 UTC
We are using Samba as a user directory for our application. Passwords are
stored in unicodePwd attribute, and our application resets passwords
through LDAP (without the knowledge of the previous password, because it's
an email-based reset).

Unfortunately resetting it like this prevents the "password history" policy
enforcement. This is a security problem that will come up on the first
security audit.

Microsoft recognised this is a problem and in Windows 2008 R2 SP1
introduced a supportedControl on RootDSE:
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), later
LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables such
password history enforcement on LDAP password resets.

Garming has suggested a way to approach this here: https://lists.samba.org/archive/samba/2016-July/201208.html
Comment 1 Andrew Bartlett 2016-07-21 03:23:27 UTC
Created attachment 12283 [details]
a work in progress patch for this

This is a patch I knocked up for this.  It passes our own tests, but I've not tested against windows yet. 

We may choose not to implement the _DEPRICATED OID in the end.

It needs a tidy up regarding names etc, and to check the flags in the password_hash code.