This parameter determines whether or not samba 8 acting as an Active Directory Domain Controller will attempt to store additional passwords hash types for the user The values are stored as 'Primary:userPassword' in the supplementalCredentials attribute. The value of this option is a hash type. The currently supported hash types are: CryptSHA256 CryptSHA512 Multiple instances of a hash type may be computed and stored. The password hashes are calculated using the crypt 3 call. The number of rounds used to compute the hash can be specified by adding ':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would calculate an SHA512 hash using 4500 rounds. If not specified the Operating System defaults for crypt 3 are used. As password changes can occur on any domain controller, you should configure this on each of them. Note that this feature is currently available only on Samba domain controllers. Currently the NT Hash of the password is recorded when these hashes are calculated and stored. When retrieving the hashes the current value of the NT Hash is checked against the stored NT Hash. This detects password changes that have not updated the password hashes. In this case samba-tool user will ignore the stored hash values. Being able to obtain the hashed password helps, when they need to be imported into other authentication systems later (see samba-tool user getpassword) or you want to keep the passwords in sync with another system, e.g. an OpenLDAP server (see samba-tool user syncpasswords). unix password sync CryptSHA256 CryptSHA256 CryptSHA512 CryptSHA256:rounds=5000 CryptSHA512:rounds=7000