password hash userPassword schemes

This parameter determines whether or not
samba
8 acting as an Active
Directory Domain Controller will attempt to store additional
passwords hash types for the user

The values are stored as 'Primary:userPassword' in the
supplementalCredentials
attribute. The value of this option is a hash type.

The currently supported hash types are:


CryptSHA256


CryptSHA512

Multiple instances of a hash type may be computed and stored.
The password hashes are calculated using the
crypt
3 call.
The number of rounds used to compute the hash can be specified by adding
':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would calculate
an SHA512 hash using 4500 rounds. If not specified the Operating System
defaults for
crypt
3 are used.


As password changes can occur on any domain controller,
you should configure this on each of them. Note that this feature is
currently available only on Samba domain controllers.

Currently the NT Hash of the password is recorded when these hashes
are calculated and stored. When retrieving the hashes the current value of the
NT Hash is checked against the stored NT Hash. This detects password changes
that have not updated the password hashes. In this case
samba-tool user will ignore the stored
hash values.


Being able to obtain the hashed password helps, when
they need to be imported into other authentication systems
later (see samba-tool user
getpassword) or you want to keep the passwords in
sync with another system, e.g. an OpenLDAP server (see
samba-tool user
syncpasswords).

unix password sync

Example: CryptSHA256

Example: CryptSHA256 CryptSHA512

Example: CryptSHA256:rounds=5000 CryptSHA512:rounds=7000

Supported on: At least Microsoft Windows 7 or Windows Server 2008 family

password hash userPassword schemes

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Samba\smb_conf\password hash userPassword schemes
Value Namepassword hash userPassword schemes
Value TypeREG_SZ
Default Value

samba.admx

Administrative Templates (Computers)