Bug 13378 - dsheuristics not honoured for search on userPassword
Summary: dsheuristics not honoured for search on userPassword
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.8.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-04-11 11:00 UTC by Andrew Bartlett
Modified: 2018-04-11 12:12 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2018-04-11 11:00:20 UTC
userPassword is allowed in AD in two modes:
 - a normal, PUBLIC attribute
 - a gateway to the AD password

dsheuristics controls that, with the value 000000001 meaning that userPassword is a gateway to the AD password.

For writes, Samba behaves correctly all the time.

For reads, Samba always behaves as if dsheuristics was not set, or was set to 0.
Comment 1 Andrew Bartlett 2018-04-11 11:01:12 UTC
To be clear, at no time is the AD password or anything related to it exposed by this.