Forcing plaintext password storage for Samba 4

Angelos Oikonomopoulos angelos.oikonomopoulos at
Wed Nov 10 02:13:08 MST 2010

Hello all,

in my setup there is the unfortunate requirement to propagate user 
passwords (and changes to them of course) to some external service. I've 
been trying to figure out how to force storage of plaintext passwords in 
the ldap directory (getting the passwords via ldb would be just as good, 
if not better).

However, I'm not intimately familiar with the protocols and while I've 
been going through the source for a couple of days I'm still not sure 
I've located all the paths that change passwords and I definitely do not 
know how to force the client to send a cleartext hash instead of a hash 
(is there some negotiation step?).

My latest attempt involved setting the 'reversible encryption' flag for 
a test user and then changing the password. This indeed set a bit in the 
userAccountControl field for that user and added 
msDS-SupportedEncryptionTypes: 0, but I have no idea how to 'reverse' 
this 'encryption'.

Any hints would be greatly appreciated -- I'm well aware that this kind 
of functionality defeats the purpose of using kerberos auth in a few 
ways, but in our case not having this functionality is a show stopper.

If this is something I can implement with some guidance, I'd consider 
submitting a patch for it.


More information about the samba-technical mailing list