[PATCH] Register bypass control in password hashes ldb module

Matthieu Patou mat at samba.org
Fri Jul 20 08:28:03 MDT 2012

On 07/20/2012 03:13 AM, Samuel Cabrero wrote:
> Hi,
> let me introduce myself. My name is Samuel and I am a Zentyal developer,
> where we have been working to integrate samba4 in our Zentyal Server
> product.
> I submit a patch for your review and hope to have it included in master.
> The patch registers the DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID control in
> the password hashes LDB module to allow writing the kerberos keys in the
> samba4 LDAP.
> This patch is needed when you have your users stored in an external
> database and want to import them to samba after the provision. In our
> particular case the users are stored in openldap with the heimdal keys,
> so after provision we extract the hashes from the krb5Key attributes,
> generate the supplementalCredentials blob and the unicodePwd attribute
> and write them to the samba user entry registering this control to
> execute the LDAP modify request.
I'm not too pleased with this kind of control, potentially bad guys 
could use it for doing wrong things.
I understand your need but we can't make this control available over LDAP.

Also did you had a look at the samba3upgrade of samba-tool domain ? I 
suspect it's doing things similar to what you want to acheive.


Matthieu Patou
Samba Team

More information about the samba-technical mailing list