blob: 18a43f9dd5740a78ef3443f974d06f9f47389dee (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
<samba:parameter name="password hash userPassword schemes"
context="G"
type="cmdlist"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This parameter determines whether or not
<citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> acting as an Active
Directory Domain Controller will attempt to store additional
passwords hash types for the user</para>
<para>The values are stored as 'Primary:userPassword' in the
<command moreinfo="none">supplementalCredentials</command>
attribute. The value of this option is a hash type.</para>
<para>The currently supported hash types are:</para>
<itemizedlist>
<listitem>
<para><constant>CryptSHA256</constant></para>
</listitem>
<listitem>
<para><constant>CryptSHA512</constant></para>
</listitem>
</itemizedlist>
<para>Multiple instances of a hash type may be computed and stored.
The password hashes are calculated using the
<citerefentry><refentrytitle>crypt</refentrytitle>
<manvolnum>3</manvolnum></citerefentry> call.
The number of rounds used to compute the hash can be specified by adding
':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would calculate
an SHA512 hash using 4500 rounds. If not specified the Operating System
defaults for
<citerefentry><refentrytitle>crypt</refentrytitle>
<manvolnum>3</manvolnum></citerefentry> are used.
</para>
<para>As password changes can occur on any domain controller,
you should configure this on each of them. Note that this feature is
currently available only on Samba domain controllers.</para>
<para>Currently the NT Hash of the password is recorded when these hashes
are calculated and stored. When retrieving the hashes the current value of the
NT Hash is checked against the stored NT Hash. This detects password changes
that have not updated the password hashes. In this case
<command moreinfo="none">samba-tool user</command> will ignore the stored
hash values.
</para>
<para>Being able to obtain the hashed password helps, when
they need to be imported into other authentication systems
later (see <command moreinfo="none">samba-tool user
getpassword</command>) or you want to keep the passwords in
sync with another system, e.g. an OpenLDAP server (see
<command moreinfo="none">samba-tool user
syncpasswords</command>).</para>
<related>unix password sync</related>
</description>
<value type="default"></value>
<value type="example">CryptSHA256</value>
<value type="example">CryptSHA256 CryptSHA512</value>
<value type="example">CryptSHA256:rounds=5000 CryptSHA512:rounds=7000</value>
</samba:parameter>
|