[SAMBA4] How should we store password hashes?
Stefan (metze) Metzmacher
metze at samba.org
Tue Feb 13 21:11:06 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stefan (metze) Metzmacher schrieb:
> Stefan (metze) Metzmacher schrieb:
>> Hi,
>
>> As we now know how the password fields are replicated,
>> I was thinking about how we should store them in our ldb.
>
>> I'd like to store them exactly are they're replicated,
>> (just without the session specific encryption). So that
>> the following attributes are stored rid crypted:
>> unicodePwd, ntPwdHistory, dBCSPwd and lmPwdHistory.
>
>> And the functions to access the hashes, like samdb_result_hash(), will
>> rid (de)crypt them on the fly.
>
>> I have a patch which passes the rid to this functions, to fix all the
>> callers (but it still uses the samba specific attributes and didn't to
>> rid crypt)
>
> Here are some dumps of the RPC-DSSYNC test, (here the hashes are without
> rid encryption to prove we get to the plain hashes)
>
> http://samba.org/~metze/ads/w2k3.blobs.txt
> http://samba.org/~metze/ads/sub1.w2k3.blobs.txt
I finally managed to get passwords from w2k, you need to use krb5 for
it, with ntlmssp you don't get the password fields, with w2k3 ntlmssp
also works.
http://samba.org/~metze/ads/w2k-mixed.blobs.txt
maybe it makes sense to compare the supplementalCredentials blobs,
as w2k3 store data in a different order and don't store Primary:WDigeset
stuff
metze
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFF0ilqm70gjA5TCD8RAoeDAJ9bV6JYvikrCuzaN88T9fmjMZvuBgCfRUQy
nvnrVGygr6lQXek8FhA8qQM=
=hiaw
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list