diff --git a/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml b/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml new file mode 100644 index 00000000000..18a43f9dd57 --- /dev/null +++ b/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml @@ -0,0 +1,67 @@ + + + +This parameter determines whether or not +samba +8 acting as an Active +Directory Domain Controller will attempt to store additional +passwords hash types for the user + +The values are stored as 'Primary:userPassword' in the +supplementalCredentials +attribute. The value of this option is a hash type. + +The currently supported hash types are: + + + CryptSHA256 + + + CryptSHA512 + + + +Multiple instances of a hash type may be computed and stored. +The password hashes are calculated using the +crypt +3 call. +The number of rounds used to compute the hash can be specified by adding +':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would calculate +an SHA512 hash using 4500 rounds. If not specified the Operating System +defaults for +crypt +3 are used. + + +As password changes can occur on any domain controller, +you should configure this on each of them. Note that this feature is +currently available only on Samba domain controllers. + +Currently the NT Hash of the password is recorded when these hashes +are calculated and stored. When retrieving the hashes the current value of the +NT Hash is checked against the stored NT Hash. This detects password changes +that have not updated the password hashes. In this case +samba-tool user will ignore the stored +hash values. + + +Being able to obtain the hashed password helps, when +they need to be imported into other authentication systems +later (see samba-tool user +getpassword) or you want to keep the passwords in +sync with another system, e.g. an OpenLDAP server (see +samba-tool user +syncpasswords). + +unix password sync + + + + +CryptSHA256 +CryptSHA256 CryptSHA512 +CryptSHA256:rounds=5000 CryptSHA512:rounds=7000 +