[Samba] Changing password in PDC using a pre-hashed value
Emond Papegaaij
emond.papegaaij at topicus.nl
Tue Nov 25 05:43:48 MST 2014
Hello,
In short, we would like to add users to a Samba PDC, using a pre-hashed value
for their password. Is this possible, if so, how?
Long version:
We are developing an authentication broker that dynamically adds and removes
user accounts from LDAP systems, allowing these users to authenticate on
servers. For the provisioning of OpenLDAP systems, we can directly set the
userPassword attribute using a pre-hashed value, in the form {SSHA}<hash-with-
salt>. Using a pre-hashed password allows us to store the password in the
database of the authentication broker. This way, the user only needs to enter
his password once, and we can create his account over and over again.
The only documentation I could find on changing a password in a Samba PDC, is
by issuing a PasswordModifyRequest or by setting the unicodePwd attribute.
Both require an unhashed password. Using an unhashed password would force us
to either prompt the user for his password on every provisioning operation
(not very user friendly) or to store the password in the database with a
symmetrical encryption scheme (risk of compromising all passwords when the
database and encryption key are stolen). Is there a way to set the password
using a hashed value?
Best regards,
Emond Papegaaij
More information about the samba
mailing list