Forcing plaintext password storage for Samba 4

Andrew Bartlett abartlet at
Wed Nov 10 14:23:12 MST 2010

On Wed, 2010-11-10 at 12:54 +0100, Stefan (metze) Metzmacher wrote:
> Am 10.11.2010 12:26, schrieb Andrew Bartlett:
> > On Wed, 2010-11-10 at 12:20 +0100, Angelos Oikonomopoulos wrote:
> >> On 11/10/2010 10:27 AM, Stefan (metze) Metzmacher wrote:
> >>> Hi Angelos,
> >>
> >> Hello Stefan,
> > 
> >> Would a program that can dump user passwords be welcome as part of 
> >> samba4? I think it would be too much of a hack. Perhaps it's a better 
> >> idea to add an option to store the plaintext password in a 
> >> samba-specific custom field?
> > 
> > I think both would be quite good ideas.  We would simply store the
> > plaintext in userPassword, as it is an existing attribute in the schema.
> > (to do so properly with replication from Windows, a module below
> > replPropertyMetaData would need to intercept the writes to the blob, and
> > read the password out and store it as UTF8). 
> I don't think that's a good idea, as you'll not get the plaintext
> if the pw is changed on a windows dc.

You would - on the same conditions that Samba would set it, and the
suggested python scripts would have it available to parse it. 

> However a small python script that dumps the cleartext from the
> supplementalCredentials attribute would be nice to have.

Or an operational attribute that does the same.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list