PATCHES: Password sync as active directory domain controller

Andrew Bartlett abartlet at
Fri Jul 8 20:00:19 UTC 2016

On Tue, 2016-06-28 at 21:16 +0200, Stefan Metzmacher wrote:

> > Thanks.  I realise this is highly inconvenient to ask now as you
> > probably have this already deployed somewhere, but I think the
> > encrypted plaintext blob needs a checksum against the other
> > password. 
> Yes, customers are already using it.
> But we may be able to make a compatible change and create a
> checksum (sha512 ?) over the Primary:Kerberos-Newer-Keys
> and use a Primary:SambaGPG_HEXSTRINGOFCHECKSUM as key to
> store the GPG value.
> But still fallback if only Primary:SambaGPG is available.

I just realised, this objection is silly.  We are storing the plaintext
password, we can do the check, if required, on read :-).  It would be
great if we double check it against unicodePwd (because that is the
easiest to check in python), but please consider my objection on this
point withdrawn.

> > That is, we need to encode the current password from one of the
> > Windows-supported schemes into the blob, so we don't output the old
> > password, because I think it is too fragile to base this on the
> > position re-order (and this may break other extensions we add).
> > 
> > Also, I really like the ability to get at the plaintext password if
> > required, but I don't quite understand why the work to create
> > the virtualCryptSHA512 attribute is done at extraction time.  Why
> > not
> > move this part outside the GPG blob, remove the complexity and
> > dependency of invoking GPG, and ensure that we don't have the
> > plaintext
> > password for those use cases?
> If you want you can also implement that and store a
> Primary:CryptSHA512
> blob and get the virtualCryptSHA512 out of that if available.
> My main goal was to avoid forcing to know what format we later be
> able to
> get.

Yeah, I get that.  I'm keen on this extra feature because it avoids the
GPG complexity, but it is just an extra feature request.

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list