Thanks for that, it's pretty much our server-side web form to re-init passwords. The problem is that I need to store somewhere as plaintext the default password for each user, which is prompted to change at the 1st connexion. I turned on "--store-plaintext on" via samba-tool and read "supplementalCredentials", looked for "Store passwords using reversible encryption"... I don't think it's the right way since I don't want to be able to decode new passwords... Paul Le 17/06/2015 09:37, L.P.H. van Belle a ?crit :> Nice enviroment Paul.. > > have a look here. > http://ltb-project.org/wiki/documentation/self-service-password > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: paul.de_vlieger at moniut.univ-bpclermont.fr >> [mailto:samba-bounces at lists.samba.org] Namens Paul >> Verzonden: woensdag 17 juni 2015 9:25 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Default password recovery feature >> >> Hi, >> we are using Samba4 since the first stable release, and we are >> fully satisfied. >> >> Our configuration is 2 DCs on opensuse13, samba 4.1.16 + bind, >> full sync >> (ad/gpo/netlogon), ~1k users, ~700 computers. >> We migrated to samba4 from the classic samba3/ldap backend >> without any big issue. >> >> We have the possibility to reset the password to the default >> one using a web >> form. On samba3/ldap we used the attribute >> "sambaPasswordHistory" to store this >> default password and restore it on request. This default >> password is stored as >> plaintext. >> >> How can I do this in Samba4 and AD schema? I digged a little >> bit in password >> history in AD but the comparison is done with hashes. I don't >> want to store this >> in a third party database... >> >> Thank for your support, >> Paul >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
On 18/06/15 11:10, Paul wrote:> Thanks for that, it's pretty much our server-side web form to re-init > passwords. > > The problem is that I need to store somewhere as plaintext the default > password for each user, which is prompted to change at the 1st connexion. > > I turned on "--store-plaintext on" via samba-tool and read > "supplementalCredentials", looked for "Store passwords using > reversible encryption"... > > I don't think it's the right way since I don't want to be able to > decode new passwords... > > Paul > > Le 17/06/2015 09:37, L.P.H. van Belle a ?crit : >> Nice enviroment Paul.. >> >> have a look here. >> http://ltb-project.org/wiki/documentation/self-service-password >> >> >> Greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: paul.de_vlieger at moniut.univ-bpclermont.fr >>> [mailto:samba-bounces at lists.samba.org] Namens Paul >>> Verzonden: woensdag 17 juni 2015 9:25 >>> Aan: samba at lists.samba.org >>> Onderwerp: [Samba] Default password recovery feature >>> >>> Hi, >>> we are using Samba4 since the first stable release, and we are >>> fully satisfied. >>> >>> Our configuration is 2 DCs on opensuse13, samba 4.1.16 + bind, >>> full sync >>> (ad/gpo/netlogon), ~1k users, ~700 computers. >>> We migrated to samba4 from the classic samba3/ldap backend >>> without any big issue. >>> >>> We have the possibility to reset the password to the default >>> one using a web >>> form. On samba3/ldap we used the attribute >>> "sambaPasswordHistory" to store this >>> default password and restore it on request. This default >>> password is stored as >>> plaintext. >>> >>> How can I do this in Samba4 and AD schema? I digged a little >>> bit in password >>> history in AD but the comparison is done with hashes. I don't >>> want to store this >>> in a third party database... >>> >>> Thank for your support, >>> Paul >>> >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>Hi, storing a users password in plain text, is, in my opinion, a very bad idea. Could you not change the users password to a random password, email the new password to the user and then set the users password to be changed at next login. This way, you never know the users password, never have to store it anywhere and cannot be accused of reading a users personal data. Rowland
Hi, I can understand the risks and the fact it's a stupid idea. But I receive from a third party web formular a "reset default password" request. I have to handle this request in our directory. And of course the request does not contains any password. That's why I have to store only the default password somewhere. I can't email the password since the password is synchronized with our mail server :) Paul Le 18/06/2015 12:33, Rowland Penny a ?crit :> On 18/06/15 11:10, Paul wrote: >> Thanks for that, it's pretty much our server-side web form to re-init passwords. >> >> The problem is that I need to store somewhere as plaintext the default >> password for each user, which is prompted to change at the 1st connexion. >> >> I turned on "--store-plaintext on" via samba-tool and read >> "supplementalCredentials", looked for "Store passwords using reversible >> encryption"... >> >> I don't think it's the right way since I don't want to be able to decode new >> passwords... >> >> Paul >> >> Le 17/06/2015 09:37, L.P.H. van Belle a ?crit : >>> Nice enviroment Paul.. >>> >>> have a look here. >>> http://ltb-project.org/wiki/documentation/self-service-password >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: paul.de_vlieger at moniut.univ-bpclermont.fr >>>> [mailto:samba-bounces at lists.samba.org] Namens Paul >>>> Verzonden: woensdag 17 juni 2015 9:25 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: [Samba] Default password recovery feature >>>> >>>> Hi, >>>> we are using Samba4 since the first stable release, and we are >>>> fully satisfied. >>>> >>>> Our configuration is 2 DCs on opensuse13, samba 4.1.16 + bind, >>>> full sync >>>> (ad/gpo/netlogon), ~1k users, ~700 computers. >>>> We migrated to samba4 from the classic samba3/ldap backend >>>> without any big issue. >>>> >>>> We have the possibility to reset the password to the default >>>> one using a web >>>> form. On samba3/ldap we used the attribute >>>> "sambaPasswordHistory" to store this >>>> default password and restore it on request. This default >>>> password is stored as >>>> plaintext. >>>> >>>> How can I do this in Samba4 and AD schema? I digged a little >>>> bit in password >>>> history in AD but the comparison is done with hashes. I don't >>>> want to store this >>>> in a third party database... >>>> >>>> Thank for your support, >>>> Paul >>>> >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> > > Hi, storing a users password in plain text, is, in my opinion, a very bad idea. > Could you not change the users password to a random password, email the new > password to the user and then set the users password to be changed at next > login. This way, you never know the users password, never have to store it > anywhere and cannot be accused of reading a users personal data. > > Rowland >