[Samba] samba-tool user syncpasswords / getpassword usage and clarifications
Denis Cardon
dcardon at tranquil.it
Tue Oct 25 12:10:13 UTC 2016
Hi Andrew and Stefan,
>>> If this is the way it works, I was wondering if is there a reason
>>> why
>>> not directly storing the required hashes (ssha1, ssha256, etc.)
>>> into the
>>> supplementalCredentials attribute on the DC doing the password
>>> change?
>>
>> Because it's much more flexible that way and you can construct any
>> new
>> hashing scheme that will be invented in future.
>>
>> If someone wants to implement storing a set of pre-calculated hashes,
>> maybe in a Primary:SambaHashes field, that would also be fine in
>> order
>> to make it even more flexible and avoid storing the cleartext at all.
>
> I hope we can get this at some point. (I think we both agree it is
> primarily a matter of finding the dev hours, not any problem with the
> idea).
thanks for your answers. GPGME based password sync is indeed much more
flexible, but I fear that many organisations won't be very keen on
having reversible encrypted password in the AD...
We could have a smb.conf parameter like "check password scripts" that
would return base64 encoded list of hashes that would then be stored
into supplementalCredentials. That should be sufficiently flexible for
my case.
Cheers,
Denis
>
> Thanks,
>
> Andrew Bartlett
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list