Bug 3514 - Change ldap userPassword attribute without LDAP_EXOP_MODIFY_PASSWD feature
Summary: Change ldap userPassword attribute without LDAP_EXOP_MODIFY_PASSWD feature
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.21b
Hardware: Other Solaris
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
: 2326 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-02-14 07:30 UTC by Alex Deiter
Modified: 2008-02-25 15:00 UTC (History)
3 users (show)

See Also:


Attachments
Proposed patch allow chage userPassword via sample smbldap_modify (907 bytes, patch)
2006-02-14 07:31 UTC, Alex Deiter
no flags Details
Patch fro Samba-3.0.22 (1.22 KB, patch)
2006-04-04 07:59 UTC, Alex Deiter
no flags Details
Patch fro Samba-3.0.23c (1.23 KB, patch)
2006-10-12 23:38 UTC, Alex Deiter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Deiter 2006-02-14 07:30:19 UTC
Sun One Directory Server does not supported LDAP_EXOP_MODIFY_PASSWD. Samba cannot change userPassword attribute for users who change the password by means of Ctrl+Alt+Del:

[2006/02/14 15:17:05, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1668)
  ldap password change requested, but LDAP server does not support it -- ignoring

Proposed patch allow chage userPassword via sample smbldap_modify.
Tested with Solaris 9/04 + Sun One Directory Server 5.2:

userPassword before chage:

# ldapsearch -b 'dc=komi,dc=nw,dc=mts,dc=ru' -D 'cn=Directory Manager' '(uid=tiamat)' userpassword
Bind Password:
cn=Дейтер Александр Валериевич,ou=Отдел технического администрирования,ou=Блок п                                  о эксплуатации ИТ,ou=People,dc=komi,dc=nw,dc=mts,dc=ru
userpassword={SSHA}kXH7DNwpp1Wmzmd2npbr5DMpalX3VrR/LhCZeA==

# smbpasswd -r sofia -U tiamat
Old SMB password:

New SMB password:

Retype new SMB password:

Password changed for user tiamat on sofia.

userPassword after change:

# ldapsearch -b 'dc=komi,dc=nw,dc=mts,dc=ru' -D 'cn=Directory Manager' '(uid=tiamat)' userpassword
Bind Password:
cn=Дейтер Александр Валериевич,ou=Отдел технического администрирования,ou=Блок п                                  о эксплуатации ИТ,ou=People,dc=komi,dc=nw,dc=mts,dc=ru
userpassword={SSHA}AfhEytZeIVe2Q34Zz5VojCX1JlliHwNEd2agIA==

samba log (log level=2):

[2006/02/14 16:10:37, 2] lib/smbldap.c:smbldap_open_connection(758)
  smbldap_open_connection: connection opened
[2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tiamat
[2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2209)
  init_group_from_ldap: Entry found for group: 70513
[2006/02/14 16:10:37, 2] auth/auth.c:check_ntlm_password(307)
  check_ntlm_password:  authentication for user [tiamat] -> [tiamat] -> [tiamat] succeeded
[2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tiamat
[2006/02/14 16:10:37, 2] auth/auth.c:check_ntlm_password(307)
  check_ntlm_password:  authentication for user [tiamat] -> [tiamat] -> [tiamat] succeeded
[2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: tiamat
[2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064)
  init_ldap_from_sam: Setting entry for user: tiamat
[2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1678)
  Successfully modify userPassword for user tiamat
[2006/02/14 16:10:37, 2] passdb/pdb_ldap.c:ldapsam_update_sam_account(1889)
  ldapsam_update_sam_account: successfully modified uid = tiamat in the LDAP database
[2006/02/14 16:10:37, 2] smbd/server.c:exit_server(614)
  Closing connections

Thanks a lot!
Comment 1 Alex Deiter 2006-02-14 07:31:44 UTC
Created attachment 1727 [details]
Proposed patch allow chage userPassword via sample smbldap_modify
Comment 2 Alex Deiter 2006-04-04 07:59:21 UTC
Created attachment 1842 [details]
Patch fro Samba-3.0.22

Patch fro Samba-3.0.22
Comment 3 Gerald (Jerry) Carter (dead mail address) 2006-05-16 15:41:17 UTC
*** Bug 2326 has been marked as a duplicate of this bug. ***
Comment 4 Gerald (Jerry) Carter (dead mail address) 2006-05-16 15:41:46 UTC
There another patch in BUG 2326 to look at.
Comment 5 Alex Deiter 2006-10-12 23:38:44 UTC
Created attachment 2183 [details]
Patch fro Samba-3.0.23c

Patch fro Samba-3.0.23c
Comment 6 Jeremy Allison 2006-10-13 00:30:09 UTC
Ok - is this patch safe ? It looks like it's doing a plaintext password set. Can we *do* that (and live securely ?).
Jerry or LDAP gurus please comment. I want a lot more explaination of ldap password setting before this one goes in I think.
Jeremy.
Comment 7 Alex Deiter 2006-10-13 00:45:24 UTC
Ldap server receives clear text password and stores it according to password-hash (OpenLDAP slapd.conf option) or Password encryption option (Sun One Directory Server):

simple test after user change password from Windows Workstation:

$ ldapsearch -D 'cn=Directory Manager' -b ou=People,dc=komi,dc=nw,dc
=mts,dc=ru -L '(uid=peal)' userPassword
Bind Password:
dn:: Y2490KLQvtC60LzQsNC60L7QstCwINCV0LLQs9C10L3QuNGPINCQ0LvQtdC60YHQsNC90LTR
 gNC+0LLQvdCwLG91PdCR0LvQvtC6INC+0YTQuNGB0L3Ri9GFINC/0YDQvtC00LDQtiDQuCDQvtCx
 0YHQu9GD0LbQuNCy0LDQvdC40Y8sb3U9UGVvcGxlLGRjPWtvbWksZGM9bncsZGM9bXRzLGRjPXJ1
userPassword: {SSHA}DlvX8nHdjhSHeNHhIN75Cw+POToREzBlBAa7MQ==

I.e. userPassword hashed with SSHA algorithm, not CLEARTEXT!

Thanks a lot!
Comment 8 Olaf Flebbe 2006-10-13 01:36:44 UTC
(In reply to comment #6)
> Ok - is this patch safe ? It looks like it's doing a plaintext password set.
> Can we *do* that (and live securely ?).

We too found no other option to change passwords on SUN One. Maybe one could enable this code path it with a special keyword:

unsecure ldap password update = yes

Olaf
Comment 9 Mark Pröhl (dead mail address) 2006-10-13 04:52:12 UTC
(In reply to comment #6)
> Ok - is this patch safe ? It looks like it's doing a plaintext password set.
> Can we *do* that (and live securely ?).
> Jerry or LDAP gurus please comment. I want a lot more explaination of ldap
> password setting before this one goes in I think.
> Jeremy.
> 

if you consider it insecure to send the clear text-password over the network:

ldap traffic must be secured anyway: The ntlm hash and the lm hash must be considered as equivalent to clear text passwords, due to the way they are used 
in challenge response authentication. Therefore, the access to the samba ldap backend must be secured via tls.

When samba changes the ldap password via the exop, the clear text password is also transfered over the network. 
Comment 10 Alex Deiter 2006-10-13 05:37:05 UTC
> Mark Pröhl wrote:

I absolutely agree!
Comment 11 Jakub Cias 2007-07-31 11:55:53 UTC
What happens with this patch? Would it be applied to some stable Samba releases? Last version was addes almost 10 months ago. I've just built samba 3.0.25b and tried to get it working with SunDS for 2 days before found this patch exists...
Could someone apply it to samba code, please?
Comment 12 Volker Lendecke 2007-07-31 14:06:57 UTC
The patch is problematic from my point of view: I'd like to see more references that say the LDAP server does reasonable things with a userPassword field being set as plain text. Leaving the plain text password in the database is nothing I like. Is this a standard LDAP way to set the password to the server-chosen hash?

Second, with this uncertainty in mind: The same behaviour can perfectly be achieved with a simple unix password sync script. We put in the ldap changepw exop because that is not as obvious from the command line.

Volker
Comment 13 Jakub Cias 2007-08-02 11:07:57 UTC
I use Sun Java System Directory Server 5.2p4 and it encrypts clear-text passwords with hash-algorithm given in password policy (local, or global in absence of local). It defaults to SSHA encryption.
I don't know if other LDAP servers do that.

In Sun DS this is the only way you can change user's password.

It was my first attempt to write a shell-script that could be called in unix passwd chat, but it didn't work in my environment (Solaris 10 + GNU). On the chat debug I've seen, that password chat was getting phrase "could not read default terminal attributes on pty" as the first (and only) line. It seems, that  call of "tcgetattr" function failed for some reason... I intended to report it on bugzilla, but got no time to do more testing. 

Then I found that patch and it works perfectly for me.
Comment 14 Volker Lendecke 2007-08-02 12:23:12 UTC
Ok, I'd be convinced if it came with a 

--with-ldap-plaintext-pwchange

command line switch to configure that is not enabled by default.

Volker
Comment 15 Björn Jacke 2007-08-07 07:46:37 UTC
is there a need for something like a plain pwchange? imho you can enable RFC 3062 (LDAP Password Modify Extended Operation) via cn=features,cn=config in Sun One,
see also

http://docs.sun.com/app/docs/doc/819-0995/6n3cq3as8?a=view
Comment 16 Volker Lendecke 2008-02-25 15:00:23 UTC
Closing -- no patch for quite a while. Please re-open if the patch with a configure.in parameter is around.

Volker