Tâche #24000
Mis à jour par Benjamin Bohard il y a plus de 5 ans
A partir de la version samba 4.7, il est possible de générer des Hash supplémentaires qui sont stockés Voir description plus détaillée dans l'attribut SupplementalCredentials
La configuration est simple, il suffit d'ajouter un ligne dans smb.conf avec les formats attendus :
* password hash userPassword schemes = CryptSHA256 CryptSHA512*
Dans cette exemple, au prochain changement de mot de passe du user via CTRL ALT SUPP ou bien via samba-tool, cela génèrera dans l'attribut supplementalCredentials deux hash :
<pre>
root@pdc-ad1:~# samba-tool user getpassword toto --attributes=virtualCryptSHA512,virtualCryptSHA256
dn: CN=toto,CN=Users,DC=ac-test,DC=eole
Got password OK
root@pdc-ad1:~# samba-tool user getpassword toto --attributes=virtualCryptSHA512,virtualCryptSHA256
dn: CN=toto,CN=Users,DC=ac-test,DC=eole
virtualCryptSHA256: {CRYPT}$5$Bg0Vq1Nm22S4ITbE$YUIa8/bDvD58iBT6KzAmVT4sRIb3brY
ri5B2do4ap77
virtualCryptSHA512: {CRYPT}$6$V8BOezBunSOZ7fcK$uzngXi8P4GhC06JM9PQ/125KHKuiIr5
Yxz7WYkdjwdxmj0VPbbZ3PvKR35qbEUhFKAcG66mrm750KapIIU3pu.
Got password OK
</pre>
Les formats proposés sont décrits dans MAN smb.conf :
<pre>
password hash userPassword schemes (G)
This parameter determines whether or not samba(8) acting as an Active Directory Domain Controller will attempt to store additional passwords hash types for the user
The values are stored as 'Primary:userPassword' in the supplementalCredentials attribute. The value of this option is a hash type.
The currently supported hash types are:
· CryptSHA256
· CryptSHA512
Multiple instances of a hash type may be computed and stored. The password hashes are calculated using the crypt(3) call. The number of rounds used to compute the hash can be specified by
adding ':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would calculate an SHA512 hash using 4500 rounds. If not specified the Operating System defaults for crypt(3) are used.
As password changes can occur on any domain controller, you should configure this on each of them. Note that this feature is currently available only on Samba domain controllers.
Currently the NT Hash of the password is recorded when these hashes are calculated and stored. When retrieving the hashes the current value of the NT Hash is checked against the stored NT
Hash. This detects password changes that have not updated the password hashes. In this case samba-tool user will ignore the stored hash values.
Being able to obtain the hashed password helps, when they need to be imported into other authentication systems later (see samba-tool user getpassword) or you want to keep the passwords in
sync with another system, e.g. an OpenLDAP server (see samba-tool user syncpasswords).
Related command: unix password sync
Default: password hash userPassword schemes =
Example: password hash userPassword schemes = CryptSHA256
Example: password hash userPassword schemes = CryptSHA256 CryptSHA512
Example: password hash userPassword schemes = CryptSHA256:rounds=5000 CryptSHA512:rounds=7000
</pre>
h2. Evolution à faire coté EOLE : ajouter un attribut permettant de désigner les hash à générer le scénario parent
Ajouter une variable qui permette de saisir une ou deux valeurs de ce type : CryptSHA256 CryptSHA512:rounds=4500
Modifier le template smb.conf en ajoutant cette ligne si génération de hash demandée dans gen_config :
*password hash userPassword schemes = CryptSHA256 CryptSHA512:rounds=4500*
Pour chaque Hash, il faudra définir ces deux infos :
-Type de Hash : SHA256 ou SHA512
- Nb de rounds : vide par défaut, autres valeurs possibles à vérifier avec la doc samba