Backend documentation?

Andrew Bartlett abartlet at
Sat Apr 13 21:48:52 MDT 2013

On Sat, 2013-04-13 at 14:10 +0200, Yoann Gini wrote:
> Le 13 avr. 2013 à 13:06, Andrew Bartlett <abartlet at> a écrit :
> > The issue is this:  To change passwords you need the old password hash
> > to verify the new password.  You need a way to get that old password
> > hash out of the PasswordService.  My understanding is that this is
> > intentionally difficult (part of the design, to try and keep all the
> > crypto inside that box). 
> > 
> > The same applies for being able to accept domain logins.  The auth
> > plugin code doesn't handle either of these cases, it just assumes passdb
> > provides read access to the hashes. 
> > 
> > Only then can we read the plaintext password.  At that point our passdb
> > backend can submit the plaintext passwords to the LDAP server using the
> > password change/set exop.  If the PasswordService will accept it, a
> > patched pdb_ldap could instead set it there.
> I’ve think about one with, it’s tricky but the PasswordService database is a LDAP database with some restricted access. Here is an extract of what we can get :
> dn: authGUID=79c4b078-49ca-11e2-9695-0050563fdd05,cn=users,cn=authdata
> objectClass: pwsAuthdata
> draft-krbPrincipalName: alice at LAB.OFFICE.INIG-SERVICES.COM
> draft-krbTicketPolicy: 326
> draft-krbKeySet:: MIIBC6EDAgEJoIIBAjCB/zBboSswKaADAgESoSIEIDCzR/8HiG46Pee31qOI
> uid: alice
> authGUID: 79c4b078-49ca-11e2-9695-0050563fdd05
> loginFailedAttempts: 2
> creationDate: 20121219105434Z
> passwordModDate: 20130413114843Z
> lastLoginTime: 20130413114158Z
> userLinkage: 6ebccf99-9034-48da-a119-e5561be5f347
> password:: 6h7tUEiULsg=
> cmusaslsecretSMBNT: 4039730E1BF6E10DD01EAAC983DB4D7C40A0C1609E7F0000206A7A0D01
>  000000
> cmusaslsecretDIGEST-MD5:: 2Qvzdbf2zJ32C0zBwtSTFw==
> cmusaslsecretCRAM-MD5:: 8MNiRN2wPF33Rnew+uPbv3EV0cA8VPimh9/COEAn4QE=
> cmusaslsecretPPS:: FEDXQkKfMefvwi48ZekZE7aH8eukRula
> cmusaslsecretDIGEST-UMD5:: MJSZQKSdJH0bbgO7Cf/ycQ==
> The user password here is alice for informations.
> So, event if it’s not possible to extract the password hash from the PasswordService, we can access to the service database…

Great!  This certainly gives you want you need, and shows the key
material can be extracted easily and via a useful protocol. 

So, you could either define some kind of LDAP proxy in front of both
servers to re-connect them into what pdb_ldap sees as a consistent
record (and use the ldap password sync = only option to force password
sets to be handled in that proxy/backend), or patch pdb_ldap to do that
in a Samba module. 

Given that, you wouldn't use the auth module, unless you particularly
wanted to have the PasswordService do the actual password check (perhaps
for a bad password count?).

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list