new unicode_password ldb module

Andrew Bartlett abartlet at
Wed Dec 28 08:25:11 GMT 2005

On Wed, 2005-12-28 at 18:59 +1100, Luke Howard wrote:
> >By ensuring that the krb5key attribute is the only one we need to
> >retrieve, this also simplifies the run-time KDC logic.  (The each value
> >of the multi-valued attribute is encoded as a 'Key' in ASN.1).
> FWIW, Active Directory uses three attributes to store keys: dBCSPwd
> (the LM hash), unicodePwd (the NT hash), and supplementalCredentials
> (everything else).

I thought about using supplementalCredentials, but I was worried that I
don't know what the format is.  (I still haven't finished the crypto
work on DRSUAPI).  

We could rename our current unicodePwd -> userPassword, ntPwdHash ->
unicodePwd, lmPwdHash -> dBCSPwd and krb5Key ->

The other interesting challenge in this are is how to implement the
'write to unicodePwd over LDAP', which has bizarre semantics (UCS2, with
" surrounding), which wouldn't normally fit well into our ldb interface.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list