PATCHES: Password sync as active directory domain controller

Andrew Bartlett abartlet at samba.org
Fri Jul 8 20:00:19 UTC 2016


On Tue, 2016-06-28 at 21:16 +0200, Stefan Metzmacher wrote:

> > Thanks.  I realise this is highly inconvenient to ask now as you
> > probably have this already deployed somewhere, but I think the
> > encrypted plaintext blob needs a checksum against the other
> > password. 
> 
> Yes, customers are already using it.
> 
> But we may be able to make a compatible change and create a
> checksum (sha512 ?) over the Primary:Kerberos-Newer-Keys
> and use a Primary:SambaGPG_HEXSTRINGOFCHECKSUM as key to
> store the GPG value.
> 
> But still fallback if only Primary:SambaGPG is available.

I just realised, this objection is silly.  We are storing the plaintext
password, we can do the check, if required, on read :-).  It would be
great if we double check it against unicodePwd (because that is the
easiest to check in python), but please consider my objection on this
point withdrawn.

> > That is, we need to encode the current password from one of the
> > Windows-supported schemes into the blob, so we don't output the old
> > password, because I think it is too fragile to base this on the
> > position re-order (and this may break other extensions we add).
> > 
> > Also, I really like the ability to get at the plaintext password if
> > required, but I don't quite understand why the work to create
> > the virtualCryptSHA512 attribute is done at extraction time.  Why
> > not
> > move this part outside the GPG blob, remove the complexity and
> > dependency of invoking GPG, and ensure that we don't have the
> > plaintext
> > password for those use cases?
> 
> If you want you can also implement that and store a
> Primary:CryptSHA512
> blob and get the virtualCryptSHA512 out of that if available.
> 
> My main goal was to avoid forcing to know what format we later be
> able to
> get.

Yeah, I get that.  I'm keen on this extra feature because it avoids the
GPG complexity, but it is just an extra feature request.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba






More information about the samba-technical mailing list