13378 – dsheuristics not honoured for search on userPassword

Bug 13378 - dsheuristics not honoured for search on userPassword

Summary: dsheuristics not honoured for search on userPassword

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.8.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-11 11:00 UTC by Andrew Bartlett
Modified:	2018-04-11 12:12 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2018-04-11 11:00:20 UTC

userPassword is allowed in AD in two modes:
 - a normal, PUBLIC attribute
 - a gateway to the AD password

dsheuristics controls that, with the value 000000001 meaning that userPassword is a gateway to the AD password.

For writes, Samba behaves correctly all the time.

For reads, Samba always behaves as if dsheuristics was not set, or was set to 0.

Comment 1 Andrew Bartlett 2018-04-11 11:01:12 UTC

To be clear, at no time is the AD password or anything related to it exposed by this.