Forcing plaintext password storage for Samba 4

Stefan (metze) Metzmacher metze at samba.org
Wed Nov 10 02:27:56 MST 2010


Hi Angelos,

> in my setup there is the unfortunate requirement to propagate user
> passwords (and changes to them of course) to some external service. I've
> been trying to figure out how to force storage of plaintext passwords in
> the ldap directory (getting the passwords via ldb would be just as good,
> if not better).
> 
> However, I'm not intimately familiar with the protocols and while I've
> been going through the source for a couple of days I'm still not sure
> I've located all the paths that change passwords and I definitely do not
> know how to force the client to send a cleartext hash instead of a hash
> (is there some negotiation step?).
> 
> My latest attempt involved setting the 'reversible encryption' flag for
> a test user and then changing the password. This indeed set a bit in the
> userAccountControl field for that user and added
> msDS-SupportedEncryptionTypes: 0, but I have no idea how to 'reverse'
> this 'encryption'.
> 
> Any hints would be greatly appreciated -- I'm well aware that this kind
> of functionality defeats the purpose of using kerberos auth in a few
> ways, but in our case not having this functionality is a show stopper.
> 
> If this is something I can implement with some guidance, I'd consider
> submitting a patch for it.

I don't know what it's all called in the gui, but you need this in order
to specify that plaintext passwords are stored.

On the domain object "pwdProperties" needs the
DOMAIN_PASSWORD_STORE_CLEARTEXT flags
and the account needs the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag in
userAccountControl.

Then the plaintext UTF16 password is stored in the
supplementalCredentials blob
in the Primary:CLEARTEXT field.

The encoding of the supplementalCredentials blob is quite complex see.
setup_supplemental_field() in source4/dsdb/samdb/ldb_modules/password_hash.c
and supplementalCredentialsBlob in librpc/idl/drsblobs.idl.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101110/9cf951af/attachment.pgp>


More information about the samba-technical mailing list