diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2022-01-31 14:08:13 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2022-06-26 22:10:29 +0000 |
| commit | d2a473a7b7471937d1098a11258b875134ad702a (patch) | |
| tree | d73130772308bd5e017792658b7e8e292adfa249 /lib/param/loadparm.h | |
| parent | 6029e2250c4dc837ed4f6b4613f988ae6dff49e3 (diff) | |
| download | samba-d2a473a7b7471937d1098a11258b875134ad702a.tar.gz | |
dsdb: Allow password history and password changes without an NT hash
We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead
which allows us to decouple Samba from the unsalted NT hash for
organisations that are willing to take this step (for user accounts).
(History checking is limited to the last three passwords only, as
ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4
package only stores three sets of keys.)
Since we don't store a salt per-key, but only a single salt, the check
will fail for a previous password if the account was renamed prior to a
newer password being set.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'lib/param/loadparm.h')
| -rw-r--r-- | lib/param/loadparm.h | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h index a3331436229..b1641ba88d2 100644 --- a/lib/param/loadparm.h +++ b/lib/param/loadparm.h @@ -262,6 +262,13 @@ enum samba_weak_crypto { SAMBA_WEAK_CRYPTO_DISALLOWED, }; +/* Controlling the storage of the NT password has on the AD DC */ +enum store_nt_hash { + NT_HASH_STORE_AUTO, + NT_HASH_STORE_NEVER, + NT_HASH_STORE_ALWAYS +}; + /* * Default passwd chat script. */ |