PATCHES: Password sync as active directory domain controller
Stefan Metzmacher
metze at samba.org
Tue Jul 19 11:26:18 UTC 2016
Am 11.07.2016 um 22:38 schrieb Stefan Metzmacher:
> Am 08.07.2016 um 22:00 schrieb Andrew Bartlett:
>> On Tue, 2016-06-28 at 21:16 +0200, Stefan Metzmacher wrote:
>>
>>>> Thanks. I realise this is highly inconvenient to ask now as you
>>>> probably have this already deployed somewhere, but I think the
>>>> encrypted plaintext blob needs a checksum against the other
>>>> password.
>>>
>>> Yes, customers are already using it.
>>>
>>> But we may be able to make a compatible change and create a
>>> checksum (sha512 ?) over the Primary:Kerberos-Newer-Keys
>>> and use a Primary:SambaGPG_HEXSTRINGOFCHECKSUM as key to
>>> store the GPG value.
>>>
>>> But still fallback if only Primary:SambaGPG is available.
>>
>> I just realised, this objection is silly. We are storing the plaintext
>> password, we can do the check, if required, on read :-). It would be
>> great if we double check it against unicodePwd (because that is the
>> easiest to check in python), but please consider my objection on this
>> point withdrawn.
>
> Ok, I'll add this verification on read.
>
Added, my master4-gpgme branch does not conflict with master4-smart-*
any more.
I think it's ready to push.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160719/c9c02749/signature.sig>
More information about the samba-technical
mailing list