[SAMBA4] How should we store password hashes?
Stefan (metze) Metzmacher
metze at samba.org
Tue Feb 13 09:50:38 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stefan (metze) Metzmacher schrieb:
> Hi,
>
> As we now know how the password fields are replicated,
> I was thinking about how we should store them in our ldb.
>
> I'd like to store them exactly are they're replicated,
> (just without the session specific encryption). So that
> the following attributes are stored rid crypted:
> unicodePwd, ntPwdHistory, dBCSPwd and lmPwdHistory.
>
> And the functions to access the hashes, like samdb_result_hash(), will
> rid (de)crypt them on the fly.
>
> I have a patch which passes the rid to this functions, to fix all the
> callers (but it still uses the samba specific attributes and didn't to
> rid crypt)
Here are some dumps of the RPC-DSSYNC test, (here the hashes are without
rid encryption to prove we get to the plain hashes)
http://samba.org/~metze/ads/w2k3.blobs.txt
http://samba.org/~metze/ads/sub1.w2k3.blobs.txt
It would be cool to use supplementalCredentials instead of
msDs-KeyVersionNumber and krb5keys...But I don't have time to look at
the format currently... So the next step for me would be to use
"unicodePwd", "dBCSPwd", "ntPwdHistory", "lmPwdHistory" (all rid
crypted) instead of our own "ntPwdHash", "lmPwdHash",
"sambaNTPwdHistory"and "sambaLMPwdHistory", but still use
msDs-KeyVersionNumber and krb5keys.
and later move to supplementalCredentials when someone figures out the
format and implements a parser for it.
The format of the secrets and trust info fields also needs work...
metze
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFF0Ynum70gjA5TCD8RAsvMAJ0W1FHw/k/tNyJ8P3/FxXgVxw9atgCg0DCy
FH6AJNJUIfYKvB6AzZXLvaw=
=cq3q
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list