[SAMBA4] How should we store password hashes?
simo
idra at samba.org
Tue Feb 13 13:38:02 GMT 2007
On Tue, 2007-02-13 at 10:34 +0100, Stefan (metze) Metzmacher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> As we now know how the password fields are replicated,
> I was thinking about how we should store them in our ldb.
>
> I'd like to store them exactly are they're replicated,
> (just without the session specific encryption). So that
> the following attributes are stored rid crypted:
> unicodePwd, ntPwdHistory, dBCSPwd and lmPwdHistory.
I am ok to store them in the same format if it is reasonable,
but why do you want to keep them rid obfuscated?
> And the functions to access the hashes, like samdb_result_hash(), will
> rid (de)crypt them on the fly.
>
> I have a patch which passes the rid to this functions, to fix all the
> callers (but it still uses the samba specific attributes and didn't to
> rid crypt)
>
> Comments please:-)
It seem to me you are not keeping the crc32, is there a reason to rid
obfuscate hashes and not keep it?
Anything else looks good on a v. quick look.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba-technical
mailing list