Forcing plaintext password storage for Samba 4
Andrew Bartlett
abartlet at samba.org
Wed Nov 10 14:23:12 MST 2010
On Wed, 2010-11-10 at 12:54 +0100, Stefan (metze) Metzmacher wrote:
> Am 10.11.2010 12:26, schrieb Andrew Bartlett:
> > On Wed, 2010-11-10 at 12:20 +0100, Angelos Oikonomopoulos wrote:
> >> On 11/10/2010 10:27 AM, Stefan (metze) Metzmacher wrote:
> >>> Hi Angelos,
> >>
> >> Hello Stefan,
> >
> >> Would a program that can dump user passwords be welcome as part of
> >> samba4? I think it would be too much of a hack. Perhaps it's a better
> >> idea to add an option to store the plaintext password in a
> >> samba-specific custom field?
> >
> > I think both would be quite good ideas. We would simply store the
> > plaintext in userPassword, as it is an existing attribute in the schema.
> > (to do so properly with replication from Windows, a module below
> > replPropertyMetaData would need to intercept the writes to the blob, and
> > read the password out and store it as UTF8).
>
> I don't think that's a good idea, as you'll not get the plaintext
> if the pw is changed on a windows dc.
You would - on the same conditions that Samba would set it, and the
suggested python scripts would have it available to parse it.
> However a small python script that dumps the cleartext from the
> supplementalCredentials attribute would be nice to have.
Or an operational attribute that does the same.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101111/2892502c/attachment.pgp>
More information about the samba-technical
mailing list