[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba-technical
Subject:    Re: Exposing password hashes to an LDAP client.
From:       Matthias Dieter Wallnöfer <mdw () samba ! org>
Date:       2011-03-19 11:04:53
Message-ID: 4D848DD5.1000006 () samba ! org
[Download RAW message or body]

Andrew,

I'm with you. Password handling is so inherently complex in s4 (the 
various AD function levels, support for "userPassword", and LM hashes) 
that I wouldn't add any feature to the existing password hash LDB 
module. Do you still remember how long it took to integrate and fix up 
my changes? A year I think.

Btw. don't forget my EXOP branch - I have also made tridge aware of that 
:) !

Thanks,
Matthias

Andrew Bartlett wrote:
> The issue here is that brenden needs a sha1 hash, and we don't currently
> store that.  We certainly could have password_hash store an additional
> hash - otherwise, you would need to store and expose the plaintext.
>
> I would support such an optional extension - the main issue would be
> that all the DCs must be Samba4 and configured in the same way or it
> won't work.
>
> Andrew Bartlett
>
>    

[prev in list] [next in list] [prev in thread] [next in thread]