PATCHES: Password sync as active directory domain controller
Alexander Bokovoy
ab at samba.org
Tue Jul 19 11:52:18 UTC 2016
On Tue, 19 Jul 2016, Stefan Metzmacher wrote:
> Am 11.07.2016 um 22:38 schrieb Stefan Metzmacher:
> > Am 08.07.2016 um 22:00 schrieb Andrew Bartlett:
> >> On Tue, 2016-06-28 at 21:16 +0200, Stefan Metzmacher wrote:
> >>
> >>>> Thanks. I realise this is highly inconvenient to ask now as you
> >>>> probably have this already deployed somewhere, but I think the
> >>>> encrypted plaintext blob needs a checksum against the other
> >>>> password.
> >>>
> >>> Yes, customers are already using it.
> >>>
> >>> But we may be able to make a compatible change and create a
> >>> checksum (sha512 ?) over the Primary:Kerberos-Newer-Keys
> >>> and use a Primary:SambaGPG_HEXSTRINGOFCHECKSUM as key to
> >>> store the GPG value.
> >>>
> >>> But still fallback if only Primary:SambaGPG is available.
> >>
> >> I just realised, this objection is silly. We are storing the plaintext
> >> password, we can do the check, if required, on read :-). It would be
> >> great if we double check it against unicodePwd (because that is the
> >> easiest to check in python), but please consider my objection on this
> >> point withdrawn.
> >
> > Ok, I'll add this verification on read.
> >
>
> Added, my master4-gpgme branch does not conflict with master4-smart-*
> any more.
> I think it's ready to push.
Thanks. If you don't mind, I'll re-run my tests on Thursday (traveling
tomorrow) and will give you final ACK on my side by that time.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list