PATCHES: Password sync as active directory domain controller
metze at samba.org
Mon Jul 11 20:38:19 UTC 2016
Am 08.07.2016 um 22:00 schrieb Andrew Bartlett:
> On Tue, 2016-06-28 at 21:16 +0200, Stefan Metzmacher wrote:
>>> Thanks. I realise this is highly inconvenient to ask now as you
>>> probably have this already deployed somewhere, but I think the
>>> encrypted plaintext blob needs a checksum against the other
>> Yes, customers are already using it.
>> But we may be able to make a compatible change and create a
>> checksum (sha512 ?) over the Primary:Kerberos-Newer-Keys
>> and use a Primary:SambaGPG_HEXSTRINGOFCHECKSUM as key to
>> store the GPG value.
>> But still fallback if only Primary:SambaGPG is available.
> I just realised, this objection is silly. We are storing the plaintext
> password, we can do the check, if required, on read :-). It would be
> great if we double check it against unicodePwd (because that is the
> easiest to check in python), but please consider my objection on this
> point withdrawn.
Ok, I'll add this verification on read.
> Yeah, I get that. I'm keen on this extra feature because it avoids the
> GPG complexity, but it is just an extra feature request.
Feel free to implement it on top.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical