Bug 12751 - Allow passing trusted domain password as plain-text to PASSDB layer
Summary: Allow passing trusted domain password as plain-text to PASSDB layer
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.6.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-04-21 07:41 UTC by Alexander Bokovoy
Modified: 2017-05-02 07:32 UTC (History)
2 users (show)

See Also:

patch for 4.6 branch (8.93 KB, patch)
2017-04-21 07:45 UTC, Alexander Bokovoy
asn: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bokovoy 2017-04-21 07:41:06 UTC
_netr_ServerPasswordSet2: use info level 26 to set plain text machine password
To support password change for machine or trusted domain accounts in Active
Directory environment we need to pass down actual plain text password
instead of NT hashes. This would allow a backend like ipasam to update
Kerberos keys as well as NT hashes.
By calling samr_SetUserInfo2 info level 26 we ensure PASSDB layer can
actually get the plain text password. If PASSDB backend implements
pdb_update_sam_account() callback, it then gets the plain text password
from samr_SetUserInfo2.
Comment 1 Alexander Bokovoy 2017-04-21 07:45:02 UTC
Created attachment 13166 [details]
patch for 4.6 branch

Patch for 4.6 attached.
Comment 2 Andreas Schneider 2017-04-21 09:51:35 UTC
Karolin, please add the patchset to 4.6. Thanks.
Comment 3 Karolin Seeger 2017-04-28 07:12:14 UTC
(In reply to Andreas Schneider from comment #2)
Pushed to autobuild-v4-6-test.
Comment 4 Karolin Seeger 2017-05-02 07:32:55 UTC
(In reply to Karolin Seeger from comment #3)
Pushed to v4-6-test.
Closing out bug report.