Univention Bugzilla – Bug 49964
S4-Connector: Allow missing NT-Hash (sambaNTpassword)
Last modified: 2020-12-04 12:30:18 CET
Created attachment 10150 [details] s4c_allow_missing_nthash.patch Imagine an UCS domain without NT Hashes. Citing John Lennon: "It's easy if you try. No hell below us. Above us only sky" Ok, let's assume you have a UCS domain without Samba/AD and you only want strong password hashes (according to our current state of the art). So you would adjust the krb5.conf to only allow AES keys and no RC4 or DES. Fine, we also can adjust the udm users/user code to not generate the sambaNTpassword either. Now you may ask, ok fine, what's the S4-Connector got to do with it then? Well, at some point the customer may got to the Appcenter and choose to install Samba/AD and then it would be great to gracefully handle this. The S4-Connector could just allow the NT-Hash (sambaNTpassword) to be missing from an account. The attached patch would allow bidirectional replication of the krb5Keys with supplementalCredentials without the sambaNTpassword attribute.