{PATCH] store extra password hashes in supplemental credentials

Andrew Bartlett abartlet at samba.org
Tue Apr 11 23:10:20 UTC 2017


On Wed, 2017-04-12 at 10:57 +1200, Gary Lockyer via samba-technical
wrote:
> Completed patch set to:
> - Calculate SHA256 and SHA512 password hashes and store in
>   supplementalCredentials Primary:userPassword
> - add configuration options to control the generation of these
>   hashes and the number of rounds used to calculate them.
>   * 'password hash additional scheme'
>   * 'password hash sha256 rounds'
>   * 'password hash sha512 rounds'
> - add new virtual attributes virtualWDigest01 to virtualWDigest29 to
>   make the WDigest values available
> - change virtualCryptSHA256 and virtualCryptSHA512 to:
>   * return the stored values in Primary:userPassword if available
>   * honor 'password hash sha256 rounds' and
>     'password hash sha512 rounds' when calculating the hashes.
> 
> Review appreciated

Thanks Gary!

This looks really good.  

Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Can I get a second team review for this great work?

Metze:  I know you have been really busy, but I'm quite confident we
have addressed your concerns and we have a sensible, future-proof
design that addresses the concerns you listed. 

The only think we haven't done is the code to keep the old elements. 
Sadly this is beyond what we can do right now, but we have left a great
framework to test this.  Perhaps add it when we add Primary:NTLM-
Strong-NTOWF?

If I can get a second reviewer, I would really like to push this
tomorrow, before the Easter break.  

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/2d6188e8/signature.sig>


More information about the samba-technical mailing list