[Samba] Changing password in PDC using a pre-hashed value

Emond Papegaaij emond.papegaaij at topicus.nl
Tue Nov 25 05:43:48 MST 2014


In short, we would like to add users to a Samba PDC, using a pre-hashed value 
for their password. Is this possible, if so, how?

Long version:

We are developing an authentication broker that dynamically adds and removes 
user accounts from LDAP systems, allowing these users to authenticate on 
servers. For the provisioning of OpenLDAP systems, we can directly set the 
userPassword attribute using a pre-hashed value, in the form {SSHA}<hash-with-
salt>. Using a pre-hashed password allows us to store the password in the 
database of the authentication broker. This way, the user only needs to enter 
his password once, and we can create his account over and over again.

The only documentation I could find on changing a password in a Samba PDC, is 
by issuing a PasswordModifyRequest or by setting the unicodePwd attribute. 
Both require an unhashed password. Using an unhashed password would force us 
to either prompt the user for his password on every provisioning operation 
(not very user friendly) or to store the password in the database with a 
symmetrical encryption scheme (risk of compromising all passwords when the 
database and encryption key are stolen). Is there a way to set the password 
using a hashed value?

Best regards,
Emond Papegaaij

More information about the samba mailing list