[PATCH] Set password from nt-hash .Useful to sync password from OpenLdap.

Andrew Bartlett abartlet at samba.org
Thu Oct 8 04:31:59 UTC 2015


On Wed, 2015-10-07 at 16:51 -0700, Jeremy Allison wrote:
> On Mon, Oct 05, 2015 at 05:46:54PM +0200, Alberto Maria Fiaschi
> wrote:
> > From 1354f76aa702504e83ac5463c85cd0f82b9a675d Mon Sep 17 00:00:00
> > 2001
> > From: Alberto Maria Fiaschi <alberto.fiaschi at estar.toscana.it>
> > Date: Wed, 10 Jun 2015 15:26:58 +0200
> > Subject: [PATCH] Add --set-nt-hash option to pdbedit to update user
> > password
> >  from nt-hash hexstring.
> > 
> > Useful to take in sync password from other repository.
> > (Modify MASK_USER_GOOD to include new flag  BIT_PWSETNTHASH)
> > 
> > pdbedit -vw show also  password hashes .
> > 
> > Split pdb_set_plaintext_passwd  in two function:
> > pdb_set_plaintext_passwd and pdb_update_history.
> > pdb_update_history update password history and is call from
> > pdb_set_plaintext_passwd.
> 
> OK, I took a look at this - there are some things
> I like. The good:
> 
> 1). Split pdb_set_plaintext_passwd  in two function:
> pdb_set_plaintext_passwd and pdb_update_history.
> 
> looks like a nice cleanup change.
> 
> The bad:
> 
> I'm not 100% convinced of the utility of updating
> directly the NT-hash. What exactly is your use-case
> here ?

Large, multi-site migrations to Samba AD DC from Samba3.  These are not
'pull the switch' operations, and while other changes can be banned for
the week, password changes can often be required (or enforced by age)
during the migration period.  This patch allows one way to push these
new hash values into sam.ldb (the reverse, pushing them into the
traditional ldap backend is as easy as an ldapmodify, but sam.ldb is
deliberately a bit harder because someone has to null out the
suppliementalCredentials).  Going via passdb and pdb_samba_dsdb allows
re-use of the code path we set up for the classicupgrade tool. 

> and the ugly:
> 
> I really don't like the -vw change that dumps out
> password hashes. I don't think we should make that
> particularly easy to do (although it's not a security
> issue per se).

-w already does that, just in 'smbpasswd' format, and even if it
didn't, we can also export to smbpasswd format.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba






More information about the samba-technical mailing list