design for storing trusted domain passwords in ldap

Michael Adam ma at
Tue Jan 23 16:31:11 GMT 2007

On Mon, Jan 22, 2007 at 08:51:22PM +1100, Andrew Bartlett wrote:
> On Mon, 2007-01-22 at 10:37 +0100, Volker Lendecke wrote:
> > On Mon, Jan 22, 2007 at 10:32:26AM +0100, Michael Adam wrote:
> > > 2) additional attribute sambaPasswordHistory (along with
> > >    sambaPwdHistoryLength) in sambaTrustedDomainPassword
> > 
> > The sambaPwdHistoryLength would not be necessary I think.
> > You should be able to figure that out from the value length.
> I don't like the idea of overloading the sambaPasswordHistory.  The
> existing format of this attribute is <16 bytes of salt><MD5(salt
> +NTpassword).  We need the original plaintext or NT password here.
> BTW, I should have mentioned:  If we store the plaintext password for
> the trust, then it becomes possible to upgrade to using Kerberos to
> contact the trusted domains.  This may be desirable, even if we are not
> 'doing ADS'.

Oh! We should indeed store the plain text password, as we do
in the secrets.tdb... And then we do of course need another form
of the history. I will make up a modified
sambaTrustedDomainPassword object class and post the patch.

Cheers - Michael

Michael Adam,  SerNet Service Network GmbH
phone: +49-551-370000-0,  fax: +49-551-370000-9

More information about the samba-technical mailing list