[PROPOSAL] Add tests for supplementalCredentials, store other hash types
Stefan Metzmacher
metze at samba.org
Tue Apr 4 08:24:59 UTC 2017
Am 04.04.2017 um 10:17 schrieb Stefan Metzmacher via samba-technical:
> Hi Andrew,
>
>>> I just wanted to give you a heads-up that Gary (CC'ed) is working on
>>> the issue I raised almost a year ago, regarding storing the sha512
>>> hashes rather than the plaintext password under GPG.
>>>
>>> In preparation for that, tomorrow he will send in some tests to lock
>>> in
>>> the base-line behaviour of supplementalCredentials, including the
>>> HTTP
>>> digest values, then a small re-factor so that we can practically add
>>> additional packages.
>>>
>>> I'm sorry I don't have code to show right now, but our design is to
>>> store a new package named Primary:userPassword{SHA512} (or {SHA265}),
>>> following from the OpenLDAP use of rfc2307 in this area. Perhaps
>>> Microsoft may even be encouraged to do the same some day!
>>>
>>> Storage will for Samba be controlled by an smb.conf option.
>>>
>>> The idea will be to re-use and extend your syncpasswords work to
>>> expose
>>> these to users needing access.
>>
>> This work progresses well, and some of the patches have already been
>> posted.
>>
>> The work in progress so far is at
>> http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/gary-
>> password-hash
>
> I think one important thing is that it's possible to configure more than
> one hashing scheme, which is important for soft migrations.
> Note that {SHA256} and {SHA512} are not valid scheme names in RFC2307,
> "{CRYPT}" is the generic prefix for these.
>
> Maybe a configuration like this:
>
> password hash openldap schemes =
> or
> password hash userpassword schemes =
>
> {CRYPT}:alg=5:round=1500 {SSHA} {CRYPT}:alg=6
Or "CryptSHA256:round=1500 SSHA CryptSHA512 CryptSHA512:round=5000",
in which cases if matches more what we have in 'samba-tool user
getpassword',
but then remove the the reference to RFC2307 from the docs.
If you add the magic with specifying 'round', please try to find a way
to also add it to
samba-tool user getpassword
Thanks!
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170404/8ea60549/signature.sig>
More information about the samba-technical
mailing list