[Samba] Default password recovery feature
Paul
paul.de_vlieger at moniut.univ-bpclermont.fr
Fri Jun 19 05:37:41 MDT 2015
Hi,
I can understand the risks and the fact it's a stupid idea. But I receive from a
third party web formular a "reset default password" request. I have to handle
this request in our directory.
And of course the request does not contains any password. That's why I have to
store only the default password somewhere.
I can't email the password since the password is synchronized with our mail
server :)
Paul
Le 18/06/2015 12:33, Rowland Penny a écrit :
> On 18/06/15 11:10, Paul wrote:
>> Thanks for that, it's pretty much our server-side web form to re-init passwords.
>>
>> The problem is that I need to store somewhere as plaintext the default
>> password for each user, which is prompted to change at the 1st connexion.
>>
>> I turned on "--store-plaintext on" via samba-tool and read
>> "supplementalCredentials", looked for "Store passwords using reversible
>> encryption"...
>>
>> I don't think it's the right way since I don't want to be able to decode new
>> passwords...
>>
>> Paul
>>
>> Le 17/06/2015 09:37, L.P.H. van Belle a écrit :
>>> Nice enviroment Paul..
>>>
>>> have a look here.
>>> http://ltb-project.org/wiki/documentation/self-service-password
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: paul.de_vlieger at moniut.univ-bpclermont.fr
>>>> [mailto:samba-bounces at lists.samba.org] Namens Paul
>>>> Verzonden: woensdag 17 juni 2015 9:25
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] Default password recovery feature
>>>>
>>>> Hi,
>>>> we are using Samba4 since the first stable release, and we are
>>>> fully satisfied.
>>>>
>>>> Our configuration is 2 DCs on opensuse13, samba 4.1.16 + bind,
>>>> full sync
>>>> (ad/gpo/netlogon), ~1k users, ~700 computers.
>>>> We migrated to samba4 from the classic samba3/ldap backend
>>>> without any big issue.
>>>>
>>>> We have the possibility to reset the password to the default
>>>> one using a web
>>>> form. On samba3/ldap we used the attribute
>>>> "sambaPasswordHistory" to store this
>>>> default password and restore it on request. This default
>>>> password is stored as
>>>> plaintext.
>>>>
>>>> How can I do this in Samba4 and AD schema? I digged a little
>>>> bit in password
>>>> history in AD but the comparison is done with hashes. I don't
>>>> want to store this
>>>> in a third party database...
>>>>
>>>> Thank for your support,
>>>> Paul
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>
> Hi, storing a users password in plain text, is, in my opinion, a very bad idea.
> Could you not change the users password to a random password, email the new
> password to the user and then set the users password to be changed at next
> login. This way, you never know the users password, never have to store it
> anywhere and cannot be accused of reading a users personal data.
>
> Rowland
>
More information about the samba
mailing list