[PATCH] Set password from nt-hash .Useful to sync password from OpenLdap.
Jeremy Allison
jra at samba.org
Thu Oct 8 19:34:09 UTC 2015
On Thu, Oct 08, 2015 at 05:31:59PM +1300, Andrew Bartlett wrote:
> On Wed, 2015-10-07 at 16:51 -0700, Jeremy Allison wrote:
> > On Mon, Oct 05, 2015 at 05:46:54PM +0200, Alberto Maria Fiaschi
> > wrote:
> > > From 1354f76aa702504e83ac5463c85cd0f82b9a675d Mon Sep 17 00:00:00
> > > 2001
> > > From: Alberto Maria Fiaschi <alberto.fiaschi at estar.toscana.it>
> > > Date: Wed, 10 Jun 2015 15:26:58 +0200
> > > Subject: [PATCH] Add --set-nt-hash option to pdbedit to update user
> > > password
> > > from nt-hash hexstring.
> > >
> > > Useful to take in sync password from other repository.
> > > (Modify MASK_USER_GOOD to include new flag BIT_PWSETNTHASH)
> > >
> > > pdbedit -vw show also password hashes .
> > >
> > > Split pdb_set_plaintext_passwd in two function:
> > > pdb_set_plaintext_passwd and pdb_update_history.
> > > pdb_update_history update password history and is call from
> > > pdb_set_plaintext_passwd.
> >
> > OK, I took a look at this - there are some things
> > I like. The good:
> >
> > 1). Split pdb_set_plaintext_passwd in two function:
> > pdb_set_plaintext_passwd and pdb_update_history.
> >
> > looks like a nice cleanup change.
> >
> > The bad:
> >
> > I'm not 100% convinced of the utility of updating
> > directly the NT-hash. What exactly is your use-case
> > here ?
>
> Large, multi-site migrations to Samba AD DC from Samba3. These are not
> 'pull the switch' operations, and while other changes can be banned for
> the week, password changes can often be required (or enforced by age)
> during the migration period. This patch allows one way to push these
> new hash values into sam.ldb (the reverse, pushing them into the
> traditional ldap backend is as easy as an ldapmodify, but sam.ldb is
> deliberately a bit harder because someone has to null out the
> suppliementalCredentials). Going via passdb and pdb_samba_dsdb allows
> re-use of the code path we set up for the classicupgrade tool.
OK, I'll take another look then !
> -w already does that, just in 'smbpasswd' format, and even if it
> didn't, we can also export to smbpasswd format.
Ah. I'd forgotten that (if indeed I ever knew :-).
Objection withdrawn on that then :-).
More information about the samba-technical
mailing list