[SAMBA4] How should we store password hashes?
Stefan (metze) Metzmacher
metze at samba.org
Tue Feb 13 21:11:06 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Stefan (metze) Metzmacher schrieb:
> Stefan (metze) Metzmacher schrieb:
>> As we now know how the password fields are replicated,
>> I was thinking about how we should store them in our ldb.
>> I'd like to store them exactly are they're replicated,
>> (just without the session specific encryption). So that
>> the following attributes are stored rid crypted:
>> unicodePwd, ntPwdHistory, dBCSPwd and lmPwdHistory.
>> And the functions to access the hashes, like samdb_result_hash(), will
>> rid (de)crypt them on the fly.
>> I have a patch which passes the rid to this functions, to fix all the
>> callers (but it still uses the samba specific attributes and didn't to
>> rid crypt)
> Here are some dumps of the RPC-DSSYNC test, (here the hashes are without
> rid encryption to prove we get to the plain hashes)
I finally managed to get passwords from w2k, you need to use krb5 for
it, with ntlmssp you don't get the password fields, with w2k3 ntlmssp
maybe it makes sense to compare the supplementalCredentials blobs,
as w2k3 store data in a different order and don't store Primary:WDigeset
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical