Sun One Directory Server does not supported LDAP_EXOP_MODIFY_PASSWD. Samba cannot change userPassword attribute for users who change the password by means of Ctrl+Alt+Del: [2006/02/14 15:17:05, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1668) ldap password change requested, but LDAP server does not support it -- ignoring Proposed patch allow chage userPassword via sample smbldap_modify. Tested with Solaris 9/04 + Sun One Directory Server 5.2: userPassword before chage: # ldapsearch -b 'dc=komi,dc=nw,dc=mts,dc=ru' -D 'cn=Directory Manager' '(uid=tiamat)' userpassword Bind Password: cn=Дейтер Александр Валериевич,ou=Отдел технического администрирования,ou=Блок п о эксплуатации ИТ,ou=People,dc=komi,dc=nw,dc=mts,dc=ru userpassword={SSHA}kXH7DNwpp1Wmzmd2npbr5DMpalX3VrR/LhCZeA== # smbpasswd -r sofia -U tiamat Old SMB password: New SMB password: Retype new SMB password: Password changed for user tiamat on sofia. userPassword after change: # ldapsearch -b 'dc=komi,dc=nw,dc=mts,dc=ru' -D 'cn=Directory Manager' '(uid=tiamat)' userpassword Bind Password: cn=Дейтер Александр Валериевич,ou=Отдел технического администрирования,ou=Блок п о эксплуатации ИТ,ou=People,dc=komi,dc=nw,dc=mts,dc=ru userpassword={SSHA}AfhEytZeIVe2Q34Zz5VojCX1JlliHwNEd2agIA== samba log (log level=2): [2006/02/14 16:10:37, 2] lib/smbldap.c:smbldap_open_connection(758) smbldap_open_connection: connection opened [2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tiamat [2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2209) init_group_from_ldap: Entry found for group: 70513 [2006/02/14 16:10:37, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [tiamat] -> [tiamat] -> [tiamat] succeeded [2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tiamat [2006/02/14 16:10:37, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [tiamat] -> [tiamat] -> [tiamat] succeeded [2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: tiamat [2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064) init_ldap_from_sam: Setting entry for user: tiamat [2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1678) Successfully modify userPassword for user tiamat [2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:ldapsam_update_sam_account(1889) ldapsam_update_sam_account: successfully modified uid = tiamat in the LDAP database [2006/02/14 16:10:37, 2] smbd/server.c:exit_server(614) Closing connections Thanks a lot!
Created attachment 1727 [details] Proposed patch allow chage userPassword via sample smbldap_modify
Created attachment 1842 [details] Patch fro Samba-3.0.22 Patch fro Samba-3.0.22
*** Bug 2326 has been marked as a duplicate of this bug. ***
There another patch in BUG 2326 to look at.
Created attachment 2183 [details] Patch fro Samba-3.0.23c Patch fro Samba-3.0.23c
Ok - is this patch safe ? It looks like it's doing a plaintext password set. Can we *do* that (and live securely ?). Jerry or LDAP gurus please comment. I want a lot more explaination of ldap password setting before this one goes in I think. Jeremy.
Ldap server receives clear text password and stores it according to password-hash (OpenLDAP slapd.conf option) or Password encryption option (Sun One Directory Server): simple test after user change password from Windows Workstation: $ ldapsearch -D 'cn=Directory Manager' -b ou=People,dc=komi,dc=nw,dc =mts,dc=ru -L '(uid=peal)' userPassword Bind Password: dn:: Y2490KLQvtC60LzQsNC60L7QstCwINCV0LLQs9C10L3QuNGPINCQ0LvQtdC60YHQsNC90LTR gNC+0LLQvdCwLG91PdCR0LvQvtC6INC+0YTQuNGB0L3Ri9GFINC/0YDQvtC00LDQtiDQuCDQvtCx 0YHQu9GD0LbQuNCy0LDQvdC40Y8sb3U9UGVvcGxlLGRjPWtvbWksZGM9bncsZGM9bXRzLGRjPXJ1 userPassword: {SSHA}DlvX8nHdjhSHeNHhIN75Cw+POToREzBlBAa7MQ== I.e. userPassword hashed with SSHA algorithm, not CLEARTEXT! Thanks a lot!
(In reply to comment #6) > Ok - is this patch safe ? It looks like it's doing a plaintext password set. > Can we *do* that (and live securely ?). We too found no other option to change passwords on SUN One. Maybe one could enable this code path it with a special keyword: unsecure ldap password update = yes Olaf
(In reply to comment #6) > Ok - is this patch safe ? It looks like it's doing a plaintext password set. > Can we *do* that (and live securely ?). > Jerry or LDAP gurus please comment. I want a lot more explaination of ldap > password setting before this one goes in I think. > Jeremy. > if you consider it insecure to send the clear text-password over the network: ldap traffic must be secured anyway: The ntlm hash and the lm hash must be considered as equivalent to clear text passwords, due to the way they are used in challenge response authentication. Therefore, the access to the samba ldap backend must be secured via tls. When samba changes the ldap password via the exop, the clear text password is also transfered over the network.
> Mark Pröhl wrote: I absolutely agree!
What happens with this patch? Would it be applied to some stable Samba releases? Last version was addes almost 10 months ago. I've just built samba 3.0.25b and tried to get it working with SunDS for 2 days before found this patch exists... Could someone apply it to samba code, please?
The patch is problematic from my point of view: I'd like to see more references that say the LDAP server does reasonable things with a userPassword field being set as plain text. Leaving the plain text password in the database is nothing I like. Is this a standard LDAP way to set the password to the server-chosen hash? Second, with this uncertainty in mind: The same behaviour can perfectly be achieved with a simple unix password sync script. We put in the ldap changepw exop because that is not as obvious from the command line. Volker
I use Sun Java System Directory Server 5.2p4 and it encrypts clear-text passwords with hash-algorithm given in password policy (local, or global in absence of local). It defaults to SSHA encryption. I don't know if other LDAP servers do that. In Sun DS this is the only way you can change user's password. It was my first attempt to write a shell-script that could be called in unix passwd chat, but it didn't work in my environment (Solaris 10 + GNU). On the chat debug I've seen, that password chat was getting phrase "could not read default terminal attributes on pty" as the first (and only) line. It seems, that call of "tcgetattr" function failed for some reason... I intended to report it on bugzilla, but got no time to do more testing. Then I found that patch and it works perfectly for me.
Ok, I'd be convinced if it came with a --with-ldap-plaintext-pwchange command line switch to configure that is not enabled by default. Volker
is there a need for something like a plain pwchange? imho you can enable RFC 3062 (LDAP Password Modify Extended Operation) via cn=features,cn=config in Sun One, see also http://docs.sun.com/app/docs/doc/819-0995/6n3cq3as8?a=view
Closing -- no patch for quite a while. Please re-open if the patch with a configure.in parameter is around. Volker