Exposing password hashes to an LDAP client.

Matthias Dieter Wallnöfer mdw at samba.org
Sat Mar 19 05:04:53 MDT 2011


I'm with you. Password handling is so inherently complex in s4 (the 
various AD function levels, support for "userPassword", and LM hashes) 
that I wouldn't add any feature to the existing password hash LDB 
module. Do you still remember how long it took to integrate and fix up 
my changes? A year I think.

Btw. don't forget my EXOP branch - I have also made tridge aware of that 
:) !


Andrew Bartlett wrote:
> The issue here is that brenden needs a sha1 hash, and we don't currently
> store that.  We certainly could have password_hash store an additional
> hash - otherwise, you would need to store and expose the plaintext.
> I would support such an optional extension - the main issue would be
> that all the DCs must be Samba4 and configured in the same way or it
> won't work.
> Andrew Bartlett

More information about the samba-technical mailing list