Forcing plaintext password storage for Samba 4

Stefan (metze) Metzmacher metze at
Wed Nov 10 02:27:56 MST 2010

Hi Angelos,

> in my setup there is the unfortunate requirement to propagate user
> passwords (and changes to them of course) to some external service. I've
> been trying to figure out how to force storage of plaintext passwords in
> the ldap directory (getting the passwords via ldb would be just as good,
> if not better).
> However, I'm not intimately familiar with the protocols and while I've
> been going through the source for a couple of days I'm still not sure
> I've located all the paths that change passwords and I definitely do not
> know how to force the client to send a cleartext hash instead of a hash
> (is there some negotiation step?).
> My latest attempt involved setting the 'reversible encryption' flag for
> a test user and then changing the password. This indeed set a bit in the
> userAccountControl field for that user and added
> msDS-SupportedEncryptionTypes: 0, but I have no idea how to 'reverse'
> this 'encryption'.
> Any hints would be greatly appreciated -- I'm well aware that this kind
> of functionality defeats the purpose of using kerberos auth in a few
> ways, but in our case not having this functionality is a show stopper.
> If this is something I can implement with some guidance, I'd consider
> submitting a patch for it.

I don't know what it's all called in the gui, but you need this in order
to specify that plaintext passwords are stored.

On the domain object "pwdProperties" needs the
and the account needs the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag in

Then the plaintext UTF16 password is stored in the
supplementalCredentials blob
in the Primary:CLEARTEXT field.

The encoding of the supplementalCredentials blob is quite complex see.
setup_supplemental_field() in source4/dsdb/samdb/ldb_modules/password_hash.c
and supplementalCredentialsBlob in librpc/idl/drsblobs.idl.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list