[PROPOSAL] Add tests for supplementalCredentials, store other hash types

Stefan Metzmacher metze at samba.org
Tue Apr 4 08:17:11 UTC 2017

Hi Andrew,

>> I just wanted to give you a heads-up that Gary (CC'ed) is working on
>> the issue I raised almost a year ago, regarding storing the sha512
>> hashes rather than the plaintext password under GPG.
>> In preparation for that, tomorrow he will send in some tests to lock
>> in
>> the base-line behaviour of supplementalCredentials, including the
>> digest values, then a small re-factor so that we can practically add
>> additional packages.
>> I'm sorry I don't have code to show right now, but our design is to
>> store a new package named Primary:userPassword{SHA512} (or {SHA265}),
>> following from the OpenLDAP use of rfc2307 in this area.  Perhaps
>> Microsoft may even be encouraged to do the same some day!  
>> Storage will for Samba be controlled by an smb.conf option.
>> The idea will be to re-use and extend your syncpasswords work to
>> expose
>> these to users needing access. 
> This work progresses well, and some of the patches have already been
> posted. 
> The work in progress so far is at
> http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/gary-
> password-hash

I think one important thing is that it's possible to configure more than
one hashing scheme, which is important for soft migrations.
Note that {SHA256} and {SHA512} are not valid scheme names in RFC2307,
"{CRYPT}" is the generic prefix for these.

Maybe a configuration like this:

password hash openldap schemes =
password hash userpassword schemes =

   {CRYPT}:alg=5:round=1500 {SSHA} {CRYPT}:alg=6

Looking at the code it seems that 'Primary:userPassword' is used as name
while the structure is named package_PrimaryOpenLDAPuserPasswordBlob,
I think we should have a more consistent naming.

While refactoring in
I think we should change the logic to match Windows a bit more.
E.g. we need to start with the old supplementalCredentials structure
and remove any known packages and then readd them with new values.
That means that unknown packages will be kept and listed first.
This will hopefully avoid some trouble in future if Windows or we add
new packages, which may not be based on the password.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170404/b119fbd5/signature.sig>

More information about the samba-technical mailing list