Mateusz Uzdowski
2016-Jul-12 22:14 UTC
[Samba] Enforcing password history policy on password resets
Hi there, We are using Samba as a user directory for our application. Passwords are stored in unicodePwd attribute, and our application resets passwords through LDAP (without the knowledge of the previous password, because it's an email-based reset). Unfortunately resetting it like this prevents the "password history" policy enforcement. This is a security problem that will come up on the first security audit. Microsoft recognised this is a problem and in Windows 2008 R2 SP1 introduced a supportedControl on RootDSE: LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), later LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables such password history enforcement on LDAP password resets. I've been trawling the internet and Samba source code looking for a way to achieve the same thing, to no avail. Does anyone have any suggestions on how to get password history to be enforced on password resets? Many thanks, Mateusz -- Mateusz Uzdowski | Principal Developer SilverStripe http://silverstripe.com/ Phone: +64 4 978 7330 xtn 68 Skype: MateuszUzdowski
Garming Sam
2016-Jul-13 01:48 UTC
[Samba] Enforcing password history policy on password resets
Hi,
In password_hash.c, the function check_password_restrictions sounds like
the one you want to interrupt.
if (io->ac->pwd_reset) {
return LDB_SUCCESS;
}
Just guessing, this is probably the codepath you're triggering causing
you to skip the password history.
ldb_request_get_control(req, <OID>)
You'd have to change the code to check if that particular control is
there, and if so, don't return yet. You'd also have to make sure that
you're only including the history checks and nothing else.
Cheers,
Garming
On 13/07/16 10:14, Mateusz Uzdowski wrote:> Hi there,
>
> We are using Samba as a user directory for our application. Passwords are
> stored in unicodePwd attribute, and our application resets passwords
> through LDAP (without the knowledge of the previous password, because
it's
> an email-based reset).
>
> Unfortunately resetting it like this prevents the "password
history" policy
> enforcement. This is a security problem that will come up on the first
> security audit.
>
> Microsoft recognised this is a problem and in Windows 2008 R2 SP1
> introduced a supportedControl on RootDSE:
> LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), later
> LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables such
> password history enforcement on LDAP password resets.
>
> I've been trawling the internet and Samba source code looking for a way
to
> achieve the same thing, to no avail.
>
> Does anyone have any suggestions on how to get password history to be
> enforced on password resets?
>
> Many thanks,
> Mateusz
>
Andrew Bartlett
2016-Jul-21 02:47 UTC
[Samba] Enforcing password history policy on password resets
On Wed, 2016-07-13 at 10:14 +1200, Mateusz Uzdowski wrote:> Hi there, > > We are using Samba as a user directory for our application. Passwords > are > stored in unicodePwd attribute, and our application resets passwords > through LDAP (without the knowledge of the previous password, because > it's > an email-based reset). > > Unfortunately resetting it like this prevents the "password history" > policy > enforcement. This is a security problem that will come up on the > first > security audit. > > Microsoft recognised this is a problem and in Windows 2008 R2 SP1 > introduced a supportedControl on RootDSE: > LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID (1.2.840.113556.1.4.2066), > later > LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2239), which enables > such > password history enforcement on LDAP password resets. > > I've been trawling the internet and Samba source code looking for a > way to > achieve the same thing, to no avail. > > Does anyone have any suggestions on how to get password history to be > enforced on password resets?Try this patch :-) Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-HACK-DSDB_LDAP_SERVER_POLICY_HINTS_OID.patch Type: text/x-patch Size: 10923 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20160721/e1b53088/0001-HACK-DSDB_LDAP_SERVER_POLICY_HINTS_OID.bin>