Forcing plaintext password storage for Samba 4
angelos.oikonomopoulos at fp-commerce.de
Wed Nov 10 04:20:11 MST 2010
On 11/10/2010 10:27 AM, Stefan (metze) Metzmacher wrote:
> Hi Angelos,
> I don't know what it's all called in the gui, but you need this in order
> to specify that plaintext passwords are stored.
> On the domain object "pwdProperties" needs the
> DOMAIN_PASSWORD_STORE_CLEARTEXT flags
> and the account needs the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag in
> Then the plaintext UTF16 password is stored in the
> supplementalCredentials blob
> in the Primary:CLEARTEXT field.
> The encoding of the supplementalCredentials blob is quite complex see.
> setup_supplemental_field() in source4/dsdb/samdb/ldb_modules/password_hash.c
> and supplementalCredentialsBlob in librpc/idl/drsblobs.idl.
This is immensely helpful. Just for future reference, the
UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED is set by checking the 'reversible
encryption' setting on the user's account tab. I have been unable to
locate the appropriate gui knob for setting the
DOMAIN_PASSWORD_STORE_CLEARTEXT bit, but it was easy enough to set it by
I'm trying to figure out what the best way to decode the blob would be.
Obviously, I'd like to use the samba functions, but it seems that
although the functions I want /are/ public symbols in
/usr/local/samba/lib, the installed includes are not usable. For
instance, there is no talloc.h which most of the headers reference.
Are the ndr*() functions even intended to be used by external programs?
Would a program that can dump user passwords be welcome as part of
samba4? I think it would be too much of a hack. Perhaps it's a better
idea to add an option to store the plaintext password in a
samba-specific custom field?
More information about the samba-technical