[Samba] Changing password in PDC using a pre-hashed value

Rowland Penny rowlandpenny at googlemail.com
Tue Nov 25 08:12:31 MST 2014

On 25/11/14 14:57, Emond Papegaaij wrote:
> On Tuesday, November 25, 2014 02:02:32 PM Rowland Penny wrote:
>> On 25/11/14 13:47, Emond Papegaaij wrote:
>>> On Tuesday, November 25, 2014 01:28:21 PM Rowland Penny wrote:
>>>> On 25/11/14 12:43, Emond Papegaaij wrote:
>>>>> In short, we would like to add users to a Samba PDC, using a pre-hashed
>>>>> value for their password. Is this possible, if so, how?
>>> <cut long version>
>>>> Firstly, it's DC not PDC, a PDC is something else, similar but not the
>>>> same.
>>> Ow, I'm not that into AD-terminology.
>> Well, it sounds like you need to learn it.
> I'm learning :)
>>>> So, to answer your question, no, I do not think you can do what you
>>>> want, I also cannot understand why you want to keep creating the user,
>>>> the whole idea of AD is SSO.
>>> That would be very unfortunate. The key thing is that the AD only serves
>>> as an authentication mechanism in this setup. The SSO is handled by our
>>> authentication broker.
>> So you want use SSO on top of another SSO.
> The AD is only one of the systems being provisioned. Other systems are
> OpenLDAP for authentication on Linux servers. We plan to add things like
> Oracle and Postgresql databases and probably others.

You don't need OpenLDAP to authenticate Linux, you can do this with 
Samba4 AD, it will also work for the others you mention.

>>> For a user, the flow should be like this:
>>> - User wants access to 'very-important-server'
>> In AD you cannot have a 'very-important-server', you can only have a server.
> The key part in this, is that the 'very-important-server' does not have any
> accounts enabled by default. It's completely closed. To get access to this
> server, you will need to do a full two-factor authentication on our broker,
> and even then you will only have temporary access.

As I said, AD user, disable user after a set period and use Kerberos.

>>> - Sign-on into our authentication broker
>>> - Enable temporary account in AD for 'very-important-server', with
>>> password
>>> supplied earlier
>>> - Login on 'very-important-server' using the temporary account
>>> - Do your thing on 'very-important-server'
>>> - At end of day, temporary account expires and is removed from AD
>> Why not: create AD user with a known password, set account to expire at
>> given time, give user the password, restrict access to server via ACL's.
> This would result in a rather bad user experience. A user wanting to do some
> work on a server, would have to remember his temporary password for the entire
> day. We can't use the same password over and over, because that would require
> us to store it somehow, so it will be a different password every day and it
> will be a secure password (aka very hard to remember). The other parts are
> pretty much what we are doing.

Kerberos -- Kerberos -- Kerberos

>>> The authentication broker records an audit trail, provides two-factor
>>> authentication and has sophisticated account management. This allows us to
>>> see who does what where and when and revoke access with a few clicks.
>> I think that you need to rethink your 'authentication broker' to get it
>> to work with AD.
> Perhaps a solution might be to use a public/private key pair. We are already
> doing this for OpenLDAP, where the public key is stored under sshPublicKey,
> allowing the user to connect to the server without having to enter his
> password. However, I'm not sure this is even possible for Windows servers.

Kerberos -- Kerberos -- Kerberos

> Also, we've found this:
> https://lists.samba.org/archive/samba-technical/2010-August/072954.html
> Is this still possible?

I do not know, but even if it is, I would not use it, even the guy that 
came up with it, doesn't want it used.

> Best regards,
> Emond Papegaaij

And just in case you haven't got it yet -- *KERBEROS*


More information about the samba mailing list