[Samba] Default password recovery feature
Rowland Penny
rowlandpenny at googlemail.com
Thu Jun 18 04:33:00 MDT 2015
On 18/06/15 11:10, Paul wrote:
> Thanks for that, it's pretty much our server-side web form to re-init
> passwords.
>
> The problem is that I need to store somewhere as plaintext the default
> password for each user, which is prompted to change at the 1st connexion.
>
> I turned on "--store-plaintext on" via samba-tool and read
> "supplementalCredentials", looked for "Store passwords using
> reversible encryption"...
>
> I don't think it's the right way since I don't want to be able to
> decode new passwords...
>
> Paul
>
> Le 17/06/2015 09:37, L.P.H. van Belle a écrit :
>> Nice enviroment Paul..
>>
>> have a look here.
>> http://ltb-project.org/wiki/documentation/self-service-password
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: paul.de_vlieger at moniut.univ-bpclermont.fr
>>> [mailto:samba-bounces at lists.samba.org] Namens Paul
>>> Verzonden: woensdag 17 juni 2015 9:25
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] Default password recovery feature
>>>
>>> Hi,
>>> we are using Samba4 since the first stable release, and we are
>>> fully satisfied.
>>>
>>> Our configuration is 2 DCs on opensuse13, samba 4.1.16 + bind,
>>> full sync
>>> (ad/gpo/netlogon), ~1k users, ~700 computers.
>>> We migrated to samba4 from the classic samba3/ldap backend
>>> without any big issue.
>>>
>>> We have the possibility to reset the password to the default
>>> one using a web
>>> form. On samba3/ldap we used the attribute
>>> "sambaPasswordHistory" to store this
>>> default password and restore it on request. This default
>>> password is stored as
>>> plaintext.
>>>
>>> How can I do this in Samba4 and AD schema? I digged a little
>>> bit in password
>>> history in AD but the comparison is done with hashes. I don't
>>> want to store this
>>> in a third party database...
>>>
>>> Thank for your support,
>>> Paul
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
Hi, storing a users password in plain text, is, in my opinion, a very
bad idea. Could you not change the users password to a random password,
email the new password to the user and then set the users password to be
changed at next login. This way, you never know the users password,
never have to store it anywhere and cannot be accused of reading a users
personal data.
Rowland
More information about the samba
mailing list