[Samba] samba-tool user syncpasswords / getpassword usage and clarifications
dcardon at tranquil.it
Tue Oct 18 20:32:20 UTC 2016
Hi everyone, hi Metze,
looking through the mailing list, it seems that there hasn't been much
talk about the interesting features offered by syncpassword /
getpassword that came out with 4.5.0. I was hoping to use this feature
to pipe a ssha1 and HA1 hashes into an external ldap.
Looking at the command line doc and then at the source code, it gets a
bit more clear to me and I wanted to have some confirmation on that process.
It seems that the only added value in the supplementalCredential
attribute is the GPG encrypted password value (Primary:SambaGPG).
And then the PDC running the syncpasswords daemon, which would have the
gpg private key, monitors the ldap change.
When a supplementalCredentials attribute change event occurs, one can
use getPassword command and the private key to get the clear text
password or one of the proposed hash out of the GPG encrypted
Primary:SambaGPG entry, and then pipe those hashes in external openldap
or other authentication servers.
If this is the way it works, I was wondering if is there a reason why
not directly storing the required hashes (ssha1, ssha256, etc.) into the
supplementalCredentials attribute on the DC doing the password change?
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 126.96.36.199.55
More information about the samba