{PATCH] store extra password hashes in supplemental credentials

Stefan Metzmacher metze at samba.org
Tue Apr 11 23:33:13 UTC 2017

Gi Gary and Andrew,

> Completed patch set to:
> - Calculate SHA256 and SHA512 password hashes and store in
>   supplementalCredentials Primary:userPassword
> - add configuration options to control the generation of these
>   hashes and the number of rounds used to calculate them.
>   * 'password hash additional scheme'
>   * 'password hash sha256 rounds'
>   * 'password hash sha512 rounds'
> - add new virtual attributes virtualWDigest01 to virtualWDigest29 to
>   make the WDigest values available
> - change virtualCryptSHA256 and virtualCryptSHA512 to:
>   * return the stored values in Primary:userPassword if available
>   * honor 'password hash sha256 rounds' and
>     'password hash sha512 rounds' when calculating the hashes.
> Review appreciated

I still think we should use {CRYPT} if we're using the crypt_r() function
to generate the value.

Looking at the openldap code I see
{SHA256} and {SHA512} only in contrib/slapd-modules/passwd/sha2/,
but not in the main code libraries/liblutil/passwd.c

Looking at the code I can't see how the value you calculate
using crypt_r() can be verified with the {SHA256} and {SHA512} code.
If we don't want to use {CRYPT} we should implement {SSHA256} and
{SSHA512} (with salt)
instead of {SHA256} and {SHA512} (without salt) and match the actual

I still think it's confusing to have "password hash sha256 rounds" and
"password hash sha512 rounds" as separate options.

What about using the names virtualSSHA, virtualCryptSHA256,
as names in:

	typedef struct {
		[value(2*strlen_m(scheme))] uint16 name_len;
		[charset(UTF16)] uint8 name[name_len];
		[value((value?value->length:0))] uint32 value_len;
			flag(NDR_REMAINING)] DATA_BLOB *value;
	} package_PrimaryVirualPasswordValue;

	typedef [public] struct {
		samr_Password current_nt_hash;
		uint16 num_values;
		package_PrimaryUserPasswordValue values[num_values];
	} package_PrimaryVirtualPasswordsBlob;

If you want you can also implement virtualSSHA256 and virtualSSHA512
(in password_hash.c as well as in samba-tool user getpassword),
but using SHA{256,512}_{Init,Update,Final}() directly.
Very similar to virtualSSHA.

Sorry, but we really have to get this sane before it can be pushed.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170412/99cac5a2/signature.sig>

More information about the samba-technical mailing list