[Samba] samba-tool user syncpasswords / getpassword usage and clarifications

Stefan Metzmacher metze at samba.org
Wed Oct 19 08:10:44 UTC 2016

Hi Dennis,

> looking through the mailing list, it seems that there hasn't been much
> talk about the interesting features offered by syncpassword /
> getpassword that came out with 4.5.0. I was hoping to use this feature
> to pipe a ssha1 and HA1 hashes into an external ldap.
> Looking at the command line doc and then at the source code, it gets a
> bit more clear to me and I wanted to have some confirmation on that
> process.
> It seems that the only added value in the supplementalCredential
> attribute is the GPG encrypted password value (Primary:SambaGPG).


> And then the PDC running the syncpasswords daemon, which would have the
> gpg private key, monitors the ldap change.
> When a supplementalCredentials attribute change event occurs, one can
> use getPassword command and the private key to get the clear text
> password or one of the proposed hash out of the GPG encrypted
> Primary:SambaGPG entry, and then pipe those hashes in external openldap
> or other authentication servers.


> If this is the way it works, I was wondering if is there a reason why
> not directly storing the required hashes (ssha1, ssha256, etc.) into the
> supplementalCredentials attribute on the DC doing the password change?

Because it's much more flexible that way and you can construct any new
hashing scheme that will be invented in future.

If someone wants to implement storing a set of pre-calculated hashes,
maybe in a Primary:SambaHashes field, that would also be fine in order
to make it even more flexible and avoid storing the cleartext at all.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20161019/2403a23a/signature.sig>

More information about the samba mailing list