Forcing plaintext password storage for Samba 4

[Angelos Oikonomopoulos]

Oops, accidentally sent my reply to Stefan only.

On 11/10/2010 01:19 PM, Angelos Oikonomopoulos wrote:
> On 11/10/2010 12:54 PM, Stefan (metze) Metzmacher wrote:
>> Am 10.11.2010 12:26, schrieb Andrew Bartlett:
>>> On Wed, 2010-11-10 at 12:20 +0100, Angelos Oikonomopoulos wrote:
>>>> On 11/10/2010 10:27 AM, Stefan (metze) Metzmacher wrote:
>>>>> Hi Angelos,
>>>>
>>>> Hello Stefan,
>>>
>>>> Would a program that can dump user passwords be welcome as part of
>>>> samba4? I think it would be too much of a hack. Perhaps it's a better
>>>> idea to add an option to store the plaintext password in a
>>>> samba-specific custom field?
>>>
>>> I think both would be quite good ideas. We would simply store the
>>> plaintext in userPassword, as it is an existing attribute in the schema.
>>> (to do so properly with replication from Windows, a module below
>>> replPropertyMetaData would need to intercept the writes to the blob, and
>>> read the password out and store it as UTF8).
>>
>> I don't think that's a good idea, as you'll not get the plaintext
>> if the pw is changed on a windows dc.
>>
>> However a small python script that dumps the cleartext from the
>> supplementalCredentials attribute would be nice to have.
>
> Hmm, unfortunately my python-fu is not great, but I'll go through the
> existing examples and see what I can do.
>
> Thanks,
> Aggelos