[Samba] insert password hash

Andrew Bartlett abartlet at samba.org
Wed Nov 30 18:20:52 UTC 2022

On Wed, 2022-11-30 at 10:47 -0300, Marcos Ariel Negrini via samba
> Hello:
> I have implemented an Ad samba4 and for process issues I need the user 
> password changes to be done from an external system. Currently the 
> password changes are made from that system by connecting to the ldaps 
> port, but our idea is that the operations are centralized in an api rest 
> and we are trying to make a method that receives the hash from the 
> external system and apply it in samba4 (for audit issues we do not want 
> to receive the flat password with any reversible method that involves 
> the administration in some instance of our part of the flat password).

The script you sent is almost correct, no need for the OID however as
it send Samba the plaintext password.

It is critical you send Samba the plaintext password, it is the trusted
core of your authentiation system so you can trust it with it, and it
means we can construct strong hashes with it.

If you only send Samba the NT hash, then we can't offer strong
authentication over Kerberos.

If security is a major concern, then you actually really want to send
us the plaintext, as we can in Samba 4.17 be configured not to store it
at all, as it is easily reversed (this will disable NTLM). 

Andrew Bartlett

Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba

More information about the samba mailing list