[Samba] samba-tool user syncpasswords / getpassword usage and clarifications

Denis Cardon dcardon at tranquil.it
Tue Oct 25 12:10:13 UTC 2016

Hi Andrew and Stefan,

>>> If this is the way it works, I was wondering if is there a reason
>>> why
>>> not directly storing the required hashes (ssha1, ssha256, etc.)
>>> into the
>>> supplementalCredentials attribute on the DC doing the password
>>> change?
>> Because it's much more flexible that way and you can construct any
>> new
>> hashing scheme that will be invented in future.
>> If someone wants to implement storing a set of pre-calculated hashes,
>> maybe in a Primary:SambaHashes field, that would also be fine in
>> order
>> to make it even more flexible and avoid storing the cleartext at all.
> I hope we can get this at some point.  (I think we both agree it is
> primarily a matter of finding the dev hours, not any problem with the
> idea).

thanks for your answers. GPGME based password sync is indeed much more 
flexible, but I fear that many organisations won't be very keen on 
having reversible encrypted password in the AD...

We could have a smb.conf parameter like "check password scripts" that 
would return base64 encoded list of hashes that would then be stored 
into supplementalCredentials. That should be sufficiently flexible for 
my case.



> Thanks,
> Andrew Bartlett

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0)

More information about the samba mailing list