Question:
Is it possible to change my password from the Macintosh when using Acronis Files Connect (formerly ExtremeZ-IP) on my server? Are there any issues I should be concerned about?
Answer:
You can change your password from a Macintosh using Acronis Files Connect on your server. When you log on to the server in the Chooser, Network Browser, or via an alias, you can click the "Change Password..." button. You will be given a chance to enter your old password and your new password (twice) and then the change password request will be sent to the server. Acronis Files Connect will ask the Windows system to change your password. The user and password can be a domain member (for more information about how to specify a particular Windows domain, see the documentation for Acronis Files Connect).
There are a number of issues with changing passwords.
In AppleShare clients up to and including AppleShare Client 3.8.3, you can only change your password using the "Clear Text" authentication module. If your server is configured to not allow "Clear Text" passwords, then you will not be able to change passwords. As a workaround, you must either enable "Clear Text" passwords or upgrade your AppleShare client.
The AppleShare client 3.8.5 (which ships with Mac OS 9) has several bugs in it that cause it to crash during login and change password operations. Apple has briefly documented these issues and fixed them in the 3.8.6 version of the software. This version is available from Apple's download page. It is also included in the Mac OS 9.0.4 update. However, the AppleShare client 3.8.6 only resolves the crashes and still does not correctly handle password changing when using encrypted logins.
Almost all password changing issues are resolved in the AppleShare Client 3.8.8, which is the latest version available as a separate download from Apple. The AppleShare Client 3.9 is available with Mac OS 9.2.2 and also works for changing passwords.
If you cannot use the latest AppleShare clients on your system, the only workaround is to turn OFF the "Allow Encrypted Passwords" option in Acronis Files Connect and turn ON the "Allow Clear Text Passwords" option. You can then change your password (although you will be limited to 8 character passwords), and then return your server to it's original configuration. In other words, you only need to configure the server this way temporarily while a user changes his or her password.
The following section describes the main problem with the AppleShare client 3.8.6 with respect to changing passwords. It is very technical in nature. It is not necessary to understand this information in order to change passwords. It is only presented for sake of completeness.
Password changing was not in the original version of AFP; it was not added until Apple released version 2.0 of the protocol. Additionally, Apple has never publicly documented how a multi-step password changing process works. The DHX UAM is the first password changing mechanism (from Apple) that actually requires a multi-step sequence to change the password. It requires multiple steps in order to provide security. For more information on how DHX works securely, see Apple's DHX UAM documentation or Schneier's "Applied Cryptography".
When the user's password has expired, the client does not expect an error to be returned from initial login command -- instead, the server must report that the client is successfully logged in, but must then return the afpPasswordHasExpired error to any subsequent command until the user changes the password.
When the client issues the final packet in the change password sequence, it is supposed to send an encrypted buffer containing the user's old password and new password. Both passwords are SUPPOSED to be padded with zeros up to 64-bytes. However, in the AppleShare client 3.8.6, the passwords are only padded to 8 bytes, and the remaining 56 bytes contain garbage. Consequently, the supplied passwords are not correct, and the change password operation fails. The error is reported back to the client, and it disconnects from the server.