[Samba] Changing password in PDC using a pre-hashed value

Emond Papegaaij emond.papegaaij at topicus.nl
Tue Nov 25 07:57:32 MST 2014

On Tuesday, November 25, 2014 02:02:32 PM Rowland Penny wrote:
> On 25/11/14 13:47, Emond Papegaaij wrote:
> > On Tuesday, November 25, 2014 01:28:21 PM Rowland Penny wrote:
> >> On 25/11/14 12:43, Emond Papegaaij wrote:
> >>> In short, we would like to add users to a Samba PDC, using a pre-hashed
> >>> value for their password. Is this possible, if so, how?
> > 
> > <cut long version>
> > 
> >> Firstly, it's DC not PDC, a PDC is something else, similar but not the
> >> same.
> > 
> > Ow, I'm not that into AD-terminology.
> Well, it sounds like you need to learn it.

I'm learning :)

> >> So, to answer your question, no, I do not think you can do what you
> >> want, I also cannot understand why you want to keep creating the user,
> >> the whole idea of AD is SSO.
> > 
> > That would be very unfortunate. The key thing is that the AD only serves
> > as an authentication mechanism in this setup. The SSO is handled by our
> > authentication broker.
> So you want use SSO on top of another SSO.

The AD is only one of the systems being provisioned. Other systems are 
OpenLDAP for authentication on Linux servers. We plan to add things like 
Oracle and Postgresql databases and probably others. 

> > For a user, the flow should be like this:
> > - User wants access to 'very-important-server'
> In AD you cannot have a 'very-important-server', you can only have a server.

The key part in this, is that the 'very-important-server' does not have any 
accounts enabled by default. It's completely closed. To get access to this 
server, you will need to do a full two-factor authentication on our broker, 
and even then you will only have temporary access.

> > - Sign-on into our authentication broker
> > - Enable temporary account in AD for 'very-important-server', with
> > password
> > supplied earlier
> > - Login on 'very-important-server' using the temporary account
> > - Do your thing on 'very-important-server'
> > - At end of day, temporary account expires and is removed from AD
> Why not: create AD user with a known password, set account to expire at
> given time, give user the password, restrict access to server via ACL's.

This would result in a rather bad user experience. A user wanting to do some 
work on a server, would have to remember his temporary password for the entire 
day. We can't use the same password over and over, because that would require 
us to store it somehow, so it will be a different password every day and it 
will be a secure password (aka very hard to remember). The other parts are 
pretty much what we are doing.

> > The authentication broker records an audit trail, provides two-factor
> > authentication and has sophisticated account management. This allows us to
> > see who does what where and when and revoke access with a few clicks.
> I think that you need to rethink your 'authentication broker' to get it
> to work with AD.

Perhaps a solution might be to use a public/private key pair. We are already 
doing this for OpenLDAP, where the public key is stored under sshPublicKey, 
allowing the user to connect to the server without having to enter his 
password. However, I'm not sure this is even possible for Windows servers.

Also, we've found this:
Is this still possible?

Best regards,
Emond Papegaaij

More information about the samba mailing list