Discussion:
[Samba] Enforcing password history policy on password resets
Mateusz Uzdowski
2016-07-12 22:14:14 UTC
Permalink
Hi there,

We are using Samba as a user directory for our application. Passwords are
stored in unicodePwd attribute, and our application resets passwords
through LDAP (without the knowledge of the previous password, because it's
an email-based reset).

Unfortunately resetting it like this prevents the "password history" policy
enforcement. This is a security problem that will come up on the first
security audit.

Microsoft recognised this is a problem and in Windows 2008 R2 SP1
introduced a supportedControl on RootDSE:
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), later
LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables such
password history enforcement on LDAP password resets.

I've been trawling the internet and Samba source code looking for a way to
achieve the same thing, to no avail.

Does anyone have any suggestions on how to get password history to be
enforced on password resets?

Many thanks,
Mateusz
--
Mateusz Uzdowski | Principal Developer
SilverStripe
http://silverstripe.com/

Phone: +64 4 978 7330 xtn 68
Skype: MateuszUzdowski
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Garming Sam
2016-07-13 01:48:57 UTC
Permalink
Hi,

In password_hash.c, the function check_password_restrictions sounds like
the one you want to interrupt.

if (io->ac->pwd_reset) {
return LDB_SUCCESS;
}

Just guessing, this is probably the codepath you're triggering causing
you to skip the password history.

ldb_request_get_control(req, <OID>)

You'd have to change the code to check if that particular control is
there, and if so, don't return yet. You'd also have to make sure that
you're only including the history checks and nothing else.


Cheers,

Garming
Post by Mateusz Uzdowski
Hi there,
We are using Samba as a user directory for our application. Passwords are
stored in unicodePwd attribute, and our application resets passwords
through LDAP (without the knowledge of the previous password, because it's
an email-based reset).
Unfortunately resetting it like this prevents the "password history" policy
enforcement. This is a security problem that will come up on the first
security audit.
Microsoft recognised this is a problem and in Windows 2008 R2 SP1
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), later
LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables such
password history enforcement on LDAP password resets.
I've been trawling the internet and Samba source code looking for a way to
achieve the same thing, to no avail.
Does anyone have any suggestions on how to get password history to be
enforced on password resets?
Many thanks,
Mateusz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...