This parameter determines whether or not
8 acting as an Active
Directory Domain Controller will attempt to store additional
passwords hash types for the user
The values are stored as 'Primary:userPassword' in the
attribute. The value of this option is a hash type.
The currently supported hash types are:
Multiple instances of a hash type may be computed and stored.
The password hashes are calculated using the
The number of rounds used to compute the hash can be specified by adding
':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would calculate
an SHA512 hash using 4500 rounds. If not specified the Operating System
3 are used.
As password changes can occur on any domain controller,
you should configure this on each of them. Note that this feature is
currently available only on Samba domain controllers.
Currently the NT Hash of the password is recorded when these hashes
are calculated and stored. When retrieving the hashes the current value of the
NT Hash is checked against the stored NT Hash. This detects password changes
that have not updated the password hashes. In this case
samba-tool user will ignore the stored
Being able to obtain the hashed password helps, when
they need to be imported into other authentication systems
later (see samba-tool user
getpassword) or you want to keep the passwords in
sync with another system, e.g. an OpenLDAP server (see
unix password sync
Example: CryptSHA256 CryptSHA512
Example: CryptSHA256:rounds=5000 CryptSHA512:rounds=7000
|Registry Path||Software\Policies\Samba\smb_conf\password hash userPassword schemes|
|Value Name||password hash userPassword schemes|