excessive SHA1 calls

Andrew Bartlett abartlet at samba.org
Sat Nov 26 06:25:34 GMT 2005


On Fri, 2005-11-25 at 12:32 +1100, tridge at samba.org wrote:
> Andrew,
> 
>  > I think I just need to store it in the secrets.ldb along with the
>  > password, or make a real keytab, and reference that in the secrets.ldb.
> 
> oh, I'd assumed this was the users password, which we normally store
> in sam.ldb. Is this a machine password which is being number crunched
> so heavily?

At this point it is, as smbd tries to create a keytab for a possible
incoming kerberos connection.  

Later, in the KDC the krbtgt's, user's and server's passwords will be
similarly crunched, unless the kdc stores the pre-hashed passwords in
addition to the plaintext in unicodePwd.

This is much like Samba3, except that in Samba3 we typically didn't have
a kerberos library that supported the AES encryption type.  It will
become more of a problem in Samba3 as kerberos is upgraded (both KDC and
client lib side).  

(But because communication is to localhost, kerberos is skipped, these
later steps don't happen, and the selftest runs with NTLMSSP only).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051126/dd091bd6/attachment.bin


More information about the samba-technical mailing list