This parameter determines whether or not
samba
8 acting as an Active
Directory Domain Controller will attempt to store additional
passwords hash types for the user
The values are stored as 'Primary:userPassword' in the
supplementalCredentials
attribute. The value of this option is a hash type.
The currently supported hash types are:
CryptSHA256
CryptSHA512
Multiple instances of a hash type may be computed and stored.
The password hashes are calculated using the
crypt
3 call.
The number of rounds used to compute the hash can be specified by adding
':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would calculate
an SHA512 hash using 4500 rounds. If not specified the Operating System
defaults for
crypt
3 are used.
As password changes can occur on any domain controller,
you should configure this on each of them. Note that this feature is
currently available only on Samba domain controllers.
Currently the NT Hash of the password is recorded when these hashes
are calculated and stored. When retrieving the hashes the current value of the
NT Hash is checked against the stored NT Hash. This detects password changes
that have not updated the password hashes. In this case
samba-tool user will ignore the stored
hash values.
Being able to obtain the hashed password helps, when
they need to be imported into other authentication systems
later (see samba-tool user
getpassword) or you want to keep the passwords in
sync with another system, e.g. an OpenLDAP server (see
samba-tool user
syncpasswords).
unix password sync
CryptSHA256
CryptSHA256 CryptSHA512
CryptSHA256:rounds=5000 CryptSHA512:rounds=7000