Forcing plaintext password storage for Samba 4

Stefan (metze) Metzmacher metze at samba.org
Wed Nov 10 04:54:37 MST 2010


Am 10.11.2010 12:26, schrieb Andrew Bartlett:
> On Wed, 2010-11-10 at 12:20 +0100, Angelos Oikonomopoulos wrote:
>> On 11/10/2010 10:27 AM, Stefan (metze) Metzmacher wrote:
>>> Hi Angelos,
>>
>> Hello Stefan,
> 
>> Would a program that can dump user passwords be welcome as part of 
>> samba4? I think it would be too much of a hack. Perhaps it's a better 
>> idea to add an option to store the plaintext password in a 
>> samba-specific custom field?
> 
> I think both would be quite good ideas.  We would simply store the
> plaintext in userPassword, as it is an existing attribute in the schema.
> (to do so properly with replication from Windows, a module below
> replPropertyMetaData would need to intercept the writes to the blob, and
> read the password out and store it as UTF8). 

I don't think that's a good idea, as you'll not get the plaintext
if the pw is changed on a windows dc.

However a small python script that dumps the cleartext from the
supplementalCredentials attribute would be nice to have.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101110/647c420c/attachment.pgp>


More information about the samba-technical mailing list