[Samba] samba-tool user syncpasswords / getpassword usage and clarifications
rpenny at samba.org
Tue Oct 18 21:05:18 UTC 2016
On Tue, 18 Oct 2016 22:32:20 +0200
Denis Cardon via samba <samba at lists.samba.org> wrote:
> Hi everyone, hi Metze,
> looking through the mailing list, it seems that there hasn't been
> much talk about the interesting features offered by syncpassword /
> getpassword that came out with 4.5.0. I was hoping to use this
> feature to pipe a ssha1 and HA1 hashes into an external ldap.
> Looking at the command line doc and then at the source code, it gets
> a bit more clear to me and I wanted to have some confirmation on that
> It seems that the only added value in the supplementalCredential
> attribute is the GPG encrypted password value (Primary:SambaGPG).
> And then the PDC running the syncpasswords daemon, which would have
> the gpg private key, monitors the ldap change.
> When a supplementalCredentials attribute change event occurs, one can
> use getPassword command and the private key to get the clear text
> password or one of the proposed hash out of the GPG encrypted
> Primary:SambaGPG entry, and then pipe those hashes in external
> openldap or other authentication servers.
> If this is the way it works, I was wondering if is there a reason why
> not directly storing the required hashes (ssha1, ssha256, etc.) into
> the supplementalCredentials attribute on the DC doing the password
I suppose a big reason is that (according to here:
) supplementalCredentials is a system only attribute and is neither
readable or writeable.
More information about the samba