[Samba] Directly setting unicodePwd - better type of hash?

Andrew Bartlett abartlet at samba.org
Wed Jan 25 19:24:04 UTC 2023

On Thu, 2023-01-05 at 10:13 +0000, Edward Graham via samba wrote:
> Hi,
> we sync our password from other system by directly setting unicodePwd
> in samba database file. We would like to drop the insecure hash
> stored in other system and replace it with something newer and more
> robust.
> Documentation on page 
> https://samba.tranquil.it/doc/en/samba_fundamentals/about_password_hash.html#propagating-a-password-change-from-samba-ad-to-an-openldap
>   says "It is now possible to have new types of hashes generated when
> a user changes their password, such as crypt-ssha256 or crypt-
> ssha512", but I haven't found much info for this.
> Is it possible set different kind of hash in samba's database? What
> would that look like? Something like '{SSHA512}XXXXXXX/XXX' (simillar
> to ldap)?
> Thanks

Currently we can't directly set only the crypt() based passwords. The
authentication maths would only work for LDAP Simple binds if we did.

I do think that would be a useful feature, Samba is not only to support
Windows Kerberos clients, some may wish to use it simply as a easy-to-
set-up LDAP target for example, given all our useful tools around
password policy and quality etc.

It certainly would be a really useful migration tool, from (say)
OpenLDAP (and on first LDAP bind we could fill in the other hashes).

What we have finally got as a feature is the ability to not store the
NT hash, which is very weak, for user accounts.  Naturally this breaks
NTLM authentication, but for some use cases this is quite fine.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst.Net Limited

Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source

More information about the samba mailing list