simple password sync method
abartlet at samba.org
Tue May 4 15:44:18 UTC 2021
On Tue, 2021-05-04 at 15:39 +0800, d tbsky via samba-technical wrote:
> I wonder if the old simple method can co-exist with the current
> one. maybe just a config like "password sync script = xxxx" and let
> samba trigger it when password change? although with clear password
> you can sync it to new service at any time, but old simple method
> doesn't need any infrastructure change and doesn't need to store the
> private encryption key.
If you know the target password type (eg crypt()) then we can store
some such passwords without the need for the GPG key, and run the sync
eg set "password hash userPassword schemes = CryptSHA512"
We won't be adding the 'samba3' style password sync to the AD DC, due
to locking requirements. At the point where we can process a password
sync, we have to lock the DB against all other changes, and it would
risk service to all other users to start making calls at this point.
Of course Samba remains Free Software and you may make whatever changes
you desire for your private use, but this is our feeling regarding what
we will allow upstream.
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
More information about the samba-technical