[Samba] samba-tool user syncpasswords / getpassword usage and clarifications
Rowland Penny
rpenny at samba.org
Tue Oct 18 21:05:18 UTC 2016
On Tue, 18 Oct 2016 22:32:20 +0200
Denis Cardon via samba <samba at lists.samba.org> wrote:
> Hi everyone, hi Metze,
>
> looking through the mailing list, it seems that there hasn't been
> much talk about the interesting features offered by syncpassword /
> getpassword that came out with 4.5.0. I was hoping to use this
> feature to pipe a ssha1 and HA1 hashes into an external ldap.
>
> Looking at the command line doc and then at the source code, it gets
> a bit more clear to me and I wanted to have some confirmation on that
> process.
>
> It seems that the only added value in the supplementalCredential
> attribute is the GPG encrypted password value (Primary:SambaGPG).
>
> And then the PDC running the syncpasswords daemon, which would have
> the gpg private key, monitors the ldap change.
>
> When a supplementalCredentials attribute change event occurs, one can
> use getPassword command and the private key to get the clear text
> password or one of the proposed hash out of the GPG encrypted
> Primary:SambaGPG entry, and then pipe those hashes in external
> openldap or other authentication servers.
>
> If this is the way it works, I was wondering if is there a reason why
> not directly storing the required hashes (ssha1, ssha256, etc.) into
> the supplementalCredentials attribute on the DC doing the password
> change?
>
> Cheers,
>
> Denis
>
I suppose a big reason is that (according to here:
https://msdn.microsoft.com/en-us/library/ms679920%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
) supplementalCredentials is a system only attribute and is neither
readable or writeable.
Rowland
More information about the samba
mailing list