Forcing plaintext password storage for Samba 4
angelos.oikonomopoulos at fp-commerce.de
Wed Nov 10 02:13:08 MST 2010
in my setup there is the unfortunate requirement to propagate user
passwords (and changes to them of course) to some external service. I've
been trying to figure out how to force storage of plaintext passwords in
the ldap directory (getting the passwords via ldb would be just as good,
if not better).
However, I'm not intimately familiar with the protocols and while I've
been going through the source for a couple of days I'm still not sure
I've located all the paths that change passwords and I definitely do not
know how to force the client to send a cleartext hash instead of a hash
(is there some negotiation step?).
My latest attempt involved setting the 'reversible encryption' flag for
a test user and then changing the password. This indeed set a bit in the
userAccountControl field for that user and added
msDS-SupportedEncryptionTypes: 0, but I have no idea how to 'reverse'
Any hints would be greatly appreciated -- I'm well aware that this kind
of functionality defeats the purpose of using kerberos auth in a few
ways, but in our case not having this functionality is a show stopper.
If this is something I can implement with some guidance, I'd consider
submitting a patch for it.
More information about the samba-technical