About SECRETS_MACHINE_ACCT_PASS and passwords in secrets

Andrew Bartlett abartlet at samba.org
Thu May 20 02:09:29 MDT 2010

On Thu, 2010-05-20 at 09:12 +0400, Matthieu Patou wrote:
> Hello,
> While digging into samba 3.x code I found this variable with the 
> following comment
> /* the first one is for the hashed password (NT4 style) the latter
>     for plaintext (ADS)
> */
> The second variable is SECRETS_MACHINE_PASSWORD.
> My first question is: it seems that the variable  
> SECRETS_MACHINE_ACCT_PASS is not used anymore why not removing it or at 
> least as clear comment.

Yes, only very old legacy databases would have the hashed version these

> Second question is: are we storing password in clear in secrets.ldb ?
> If so why ? can't we store the hashed version ?

We can't just store the hashed version unless we know the correct
hashing and all the kerberos encryption types we expect to use at join

In the end, it's no less secure and easier to just store the plaintext -
it allows us to figure the rest out later. 

There are other reasons too - I worked on this code with tridge in it's
very early days, and we just didn't know as much about Kerberos at the

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100520/ea0011ee/attachment.pgp>

More information about the samba-technical mailing list