Forcing plaintext password storage for Samba 4

Angelos Oikonomopoulos angelos.oikonomopoulos at
Wed Nov 10 04:20:11 MST 2010

On 11/10/2010 10:27 AM, Stefan (metze) Metzmacher wrote:
> Hi Angelos,

Hello Stefan,

> I don't know what it's all called in the gui, but you need this in order
> to specify that plaintext passwords are stored.
> On the domain object "pwdProperties" needs the
> and the account needs the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag in
> userAccountControl.
> Then the plaintext UTF16 password is stored in the
> supplementalCredentials blob
> in the Primary:CLEARTEXT field.
> The encoding of the supplementalCredentials blob is quite complex see.
> setup_supplemental_field() in source4/dsdb/samdb/ldb_modules/password_hash.c
> and supplementalCredentialsBlob in librpc/idl/drsblobs.idl.

This is immensely helpful. Just for future reference, the 
UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED is set by checking the 'reversible 
encryption' setting on the user's account tab. I have been unable to 
locate the appropriate gui knob for setting the 
DOMAIN_PASSWORD_STORE_CLEARTEXT bit, but it was easy enough to set it by 

I'm trying to figure out what the best way to decode the blob would be. 
Obviously, I'd like to use the samba functions, but it seems that 
although the functions I want /are/ public symbols in 
/usr/local/samba/lib, the installed includes are not usable. For 
instance, there is no talloc.h which most of the headers reference.

Are the ndr*() functions even intended to be used by external programs?

Would a program that can dump user passwords be welcome as part of 
samba4? I think it would be too much of a hack. Perhaps it's a better 
idea to add an option to store the plaintext password in a 
samba-specific custom field?


More information about the samba-technical mailing list