design for storing trusted domain passwords in ldap
Michael Adam
ma at sernet.de
Tue Jan 23 16:31:11 GMT 2007
On Mon, Jan 22, 2007 at 08:51:22PM +1100, Andrew Bartlett wrote:
> On Mon, 2007-01-22 at 10:37 +0100, Volker Lendecke wrote:
> > On Mon, Jan 22, 2007 at 10:32:26AM +0100, Michael Adam wrote:
> > > 2) additional attribute sambaPasswordHistory (along with
> > > sambaPwdHistoryLength) in sambaTrustedDomainPassword
> >
> > The sambaPwdHistoryLength would not be necessary I think.
> > You should be able to figure that out from the value length.
>
> I don't like the idea of overloading the sambaPasswordHistory. The
> existing format of this attribute is <16 bytes of salt><MD5(salt
> +NTpassword). We need the original plaintext or NT password here.
>
> BTW, I should have mentioned: If we store the plaintext password for
> the trust, then it becomes possible to upgrade to using Kerberos to
> contact the trusted domains. This may be desirable, even if we are not
> 'doing ADS'.
Oh! We should indeed store the plain text password, as we do
in the secrets.tdb... And then we do of course need another form
of the history. I will make up a modified
sambaTrustedDomainPassword object class and post the patch.
Cheers - Michael
--
Michael Adam, SerNet Service Network GmbH
phone: +49-551-370000-0, fax: +49-551-370000-9
More information about the samba-technical
mailing list