15985 – Add Azure AD “aadhash” to password hash userPassword schemes

Bug 15985 - Add Azure AD “aadhash” to password hash userPassword schemes

Summary: Add Azure AD “aadhash” to password hash userPassword schemes

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-01-26 08:45 UTC by Simon Fonteneau
Modified:	2026-01-27 16:49 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Simon Fonteneau 2026-01-26 08:45:03 UTC

Hello,

I often see discussions about removing the NT hash from Samba. In anticipation of that change, I’d like to propose an idea.

Today, the NT hash is used to send passwords to Azure via Azure AD Connect. It is then transformed into an “AAD hash” (aadhash).

I think it would be useful to add the aadhash to the “password hash userPassword schemes”, so that if/when we decide to remove the NT hash, the aadhash would still be available.

References:

https://github.com/tranquilit/AADInternals_python/blob/3c1ee0c42d9e5ffa8d72d4718e5b53447e8447a2/AADInternals.py#L727

https://github.com/Gerenios/AADInternals/blob/b135545d50a5a473c942139182265850f9d256c2/AzureADConnectAPI_utils.ps1#L279

I’m the author of AADInternals_python:
https://github.com/tranquilit/AzureADConnect_Samba4