PATCHES: Password sync as active directory domain controller
Andrew Bartlett
abartlet at samba.org
Fri Jul 8 20:00:19 UTC 2016
On Tue, 2016-06-28 at 21:16 +0200, Stefan Metzmacher wrote:
> > Thanks. I realise this is highly inconvenient to ask now as you
> > probably have this already deployed somewhere, but I think the
> > encrypted plaintext blob needs a checksum against the other
> > password.
>
> Yes, customers are already using it.
>
> But we may be able to make a compatible change and create a
> checksum (sha512 ?) over the Primary:Kerberos-Newer-Keys
> and use a Primary:SambaGPG_HEXSTRINGOFCHECKSUM as key to
> store the GPG value.
>
> But still fallback if only Primary:SambaGPG is available.
I just realised, this objection is silly. We are storing the plaintext
password, we can do the check, if required, on read :-). It would be
great if we double check it against unicodePwd (because that is the
easiest to check in python), but please consider my objection on this
point withdrawn.
> > That is, we need to encode the current password from one of the
> > Windows-supported schemes into the blob, so we don't output the old
> > password, because I think it is too fragile to base this on the
> > position re-order (and this may break other extensions we add).
> >
> > Also, I really like the ability to get at the plaintext password if
> > required, but I don't quite understand why the work to create
> > the virtualCryptSHA512 attribute is done at extraction time. Why
> > not
> > move this part outside the GPG blob, remove the complexity and
> > dependency of invoking GPG, and ensure that we don't have the
> > plaintext
> > password for those use cases?
>
> If you want you can also implement that and store a
> Primary:CryptSHA512
> blob and get the virtualCryptSHA512 out of that if available.
>
> My main goal was to avoid forcing to know what format we later be
> able to
> get.
Yeah, I get that. I'm keen on this extra feature because it avoids the
GPG complexity, but it is just an extra feature request.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list