[Samba] samba-tool user syncpasswords / getpassword usage and clarifications

Rowland Penny rpenny at samba.org
Tue Oct 18 21:05:18 UTC 2016

On Tue, 18 Oct 2016 22:32:20 +0200
Denis Cardon via samba <samba at lists.samba.org> wrote:

> Hi everyone, hi Metze,
> looking through the mailing list, it seems that there hasn't been
> much talk about the interesting features offered by syncpassword / 
> getpassword that came out with 4.5.0. I was hoping to use this
> feature to pipe a ssha1 and HA1 hashes into an external ldap.
> Looking at the command line doc and then at the source code, it gets
> a bit more clear to me and I wanted to have some confirmation on that
> process.
> It seems that the only added value in the supplementalCredential 
> attribute is the GPG encrypted password value (Primary:SambaGPG).
> And then the PDC running the syncpasswords daemon, which would have
> the gpg private key, monitors the ldap change.
> When a supplementalCredentials attribute change event occurs, one can 
> use getPassword command and the private key to get the clear text 
> password or one of the proposed hash out of the GPG encrypted 
> Primary:SambaGPG entry, and then pipe those hashes in external
> openldap or other authentication servers.
> If this is the way it works, I was wondering if is there a reason why 
> not directly storing the required hashes (ssha1, ssha256, etc.) into
> the supplementalCredentials attribute on the DC doing the password
> change?
> Cheers,
> Denis

I suppose a big reason is that (according to here:
) supplementalCredentials is a system only attribute and is neither
readable or writeable.


More information about the samba mailing list