[PROPOSAL] Add tests for supplementalCredentials, store other hash types

Andrew Bartlett abartlet at samba.org
Mon Apr 3 04:09:20 UTC 2017

G'Day Metze,

I just wanted to give you a heads-up that Gary (CC'ed) is working on
the issue I raised almost a year ago, regarding storing the sha512
hashes rather than the plaintext password under GPG.

In preparation for that, tomorrow he will send in some tests to lock in
the base-line behaviour of supplementalCredentials, including the HTTP
digest values, then a small re-factor so that we can practically add
additional packages.

I'm sorry I don't have code to show right now, but our design is to
store a new package named Primary:userPassword{SHA512} (or {SHA265}),
following from the OpenLDAP use of rfc2307 in this area.  Perhaps
Microsoft may even be encouraged to do the same some day!  

Storage will for Samba be controlled by an smb.conf option.

The idea will be to re-use and extend your syncpasswords work to expose
these to users needing access. 

Andrew Bartlett

More information about the samba-technical mailing list