The Samba-Bugzilla – Bug 12020
Unable to enforce password history policy on password resets
Last modified: 2016-07-21 03:23:27 UTC
We are using Samba as a user directory for our application. Passwords are
stored in unicodePwd attribute, and our application resets passwords
through LDAP (without the knowledge of the previous password, because it's
an email-based reset).
Unfortunately resetting it like this prevents the "password history" policy
enforcement. This is a security problem that will come up on the first
Microsoft recognised this is a problem and in Windows 2008 R2 SP1
introduced a supportedControl on RootDSE:
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.1135126.96.36.1996), later
LDAP_SERVER_POLICY_HINTS_OID (1.2.840.1135188.8.131.529), which enables such
password history enforcement on LDAP password resets.
Garming has suggested a way to approach this here: https://lists.samba.org/archive/samba/2016-July/201208.html
Created attachment 12283 [details]
a work in progress patch for this
This is a patch I knocked up for this. It passes our own tests, but I've not tested against windows yet.
We may choose not to implement the _DEPRICATED OID in the end.
It needs a tidy up regarding names etc, and to check the flags in the password_hash code.