[Samba] Proof of samba 4 ad storing passwords in a secure manner

Rowland Penny rowlandpenny241155 at gmail.com
Wed Aug 26 10:29:13 UTC 2015 

On 26/08/15 11:15, Krutskikh Ivan wrote:
> Thanks, that helped me a lot =) But it doesn't seem that sam.ldb holds 
> any password data. I found something similar in file (my domain is 
> NOVO.MTT)
>
> /usr/local/samba/private/sam.ldb.d/DC=NOVO,DC=MTT.ldb
>
> 2015-08-26 5:30 GMT+03:00 Andrew Bartlett <abartlet at samba.org 
> <mailto:abartlet at samba.org>>:
>
>     On Tue, 2015-08-25 at 20:08 +0100, Rowland Penny wrote:
>     > On 25/08/15 19:42, Krutskikh Ivan wrote:
>     > > Hi everyone,
>     > >
>     > > We are installing a big system which uses samba 4 ad dc. Our
>     > > customer asked
>     > > if we can prove that passwords are stored securely in dc. How can
>     > > we do in
>     > > in a most interactive way?
>     > >
>     > > Thanks in advance!
>     >
>     > Well you could ask them if they accept that windows AD stores
>     > passwords
>     > securely, if they do, you can then point out that Samba 4 AD stores
>     > them
>     > in exactly the same way.
>     >
>     > The passwords are stored in a write only attribute i.e. you cannot
>     > read
>     > it over the wire, it is a 64bit unicode password, so I cannot really
>     > tell you how to test it because, well you cannot :-)
>     >
>     > You can read the password, but only by logging into the samba 4
>     AD DC
>     >
>     > and connecting directly to the sam.ldb file, you would then need to
>     > crack the stored password and I am not entirely sure this is
>     > possible.
>
>     This is a pretty good summary of the situation.  The passwords are as
>     secure as:
>      - The administrator passwords (because administrators can join
>     new DCs
>     over the network, and so get the passwords)
>      - The permissions and access control to the sam.ldb file
>
>     The only point I would make is that the attributes are password
>     -equvilent, and some values are unhashed, so they are as good as
>     plaintext passwords to an attacker.
>
>     We do generally avoid printing them in logs, but be careful where you
>     send your logs to.
>
>     We also do not show these attributes, even when directly attached to
>     sam.ldb, by default in searches, for the same reason, to make mistakes
>     harder.
>
>     I am interested in adding an extension to Samba to store a key
>     -encrypting-key in secrets.tdb (so that accidental disclosure of
>     sam.ldb would be less damaging), or to optionally use a hardware
>     encryption device, but these only impact offline attacks, online
>     access
>     is required for the DC to operate.
>
>     I hope this clarifies things.
>
>     Andrew Bartlett
>
>
>     --
>     Andrew Bartlett
>     https://samba.org/~abartlet/ <https://samba.org/%7Eabartlet/>
>     Authentication Developer, Samba Team https://samba.org
>     Samba Development and Support, Catalyst IT
>     https://catalyst.net.nz/services/samba
>
>
>
>
>
>
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

You have to explicitly ask for the 'unicodePwd' attribute, it isn't 
normally shown.

Rowland

More information about the samba mailing list