[Samba] Changing password in PDC using a pre-hashed value

Rowland Penny rowlandpenny at googlemail.com
Tue Nov 25 06:28:21 MST 2014

On 25/11/14 12:43, Emond Papegaaij wrote:
> Hello,
> In short, we would like to add users to a Samba PDC, using a pre-hashed value
> for their password. Is this possible, if so, how?
> Long version:
> We are developing an authentication broker that dynamically adds and removes
> user accounts from LDAP systems, allowing these users to authenticate on
> servers. For the provisioning of OpenLDAP systems, we can directly set the
> userPassword attribute using a pre-hashed value, in the form {SSHA}<hash-with-
> salt>. Using a pre-hashed password allows us to store the password in the
> database of the authentication broker. This way, the user only needs to enter
> his password once, and we can create his account over and over again.
> The only documentation I could find on changing a password in a Samba PDC, is
> by issuing a PasswordModifyRequest or by setting the unicodePwd attribute.
> Both require an unhashed password. Using an unhashed password would force us
> to either prompt the user for his password on every provisioning operation
> (not very user friendly) or to store the password in the database with a
> symmetrical encryption scheme (risk of compromising all passwords when the
> database and encryption key are stolen). Is there a way to set the password
> using a hashed value?
> Best regards,
> Emond Papegaaij
Firstly, it's DC not PDC, a PDC is something else, similar but not the 

Now to your main question, do you realise that your users can and will 
change their passwords at will, in fact, unless you change the default 
settings, their passwords will expire every 41 days.

To create a password for an AD user on Linux, you need to do something 
like this:

  echo -n "\"$_USER_PW\"" | $_ICONV -f UTF-8 -t UTF-16LE | $_BASE64 -w 0

Where $_USER_PW is the users PLAIN password, so if you feed into this a 
hashed password, it will either not work or the users password will be 
set to the hashed value, not the plain password.

So, to answer your question, no, I do not think you can do what you 
want, I also cannot understand why you want to keep creating the user, 
the whole idea of AD is SSO.


More information about the samba mailing list