About SECRETS_MACHINE_ACCT_PASS and passwords in secrets

Michael Adam obnox at samba.org
Thu May 20 02:20:58 MDT 2010


Hi Mathieu,

Andrew was quicker to answer, :-) , but here are some additional comments
with pointers into the code:

Andrew Bartlett wrote:
> On Thu, 2010-05-20 at 09:12 +0400, Matthieu Patou wrote:
> > Hello,
> > 
> > While digging into samba 3.x code I found this variable with the 
> > following comment
> > /* the first one is for the hashed password (NT4 style) the latter
> >     for plaintext (ADS)
> > */
> > The second variable is SECRETS_MACHINE_PASSWORD.
> > 
> > My first question is: it seems that the variable  
> > SECRETS_MACHINE_ACCT_PASS is not used anymore why not removing it or at 
> > least as clear comment.

Well, it is actually used in passdb/machine_account_secrets.c in
the function machine_password_keystr(), so we could not remove it
just like that.

> Yes, only very old legacy databases would have the hashed version these
> days. 
> 
> > Second question is: are we storing password in clear in secrets.ldb ?
> > If so why ? can't we store the hashed version ?
> 
> We can't just store the hashed version unless we know the correct
> hashing and all the kerberos encryption types we expect to use at join
> time.  
> 
> In the end, it's no less secure and easier to just store the plaintext -
> it allows us to figure the rest out later. 

Right, the plain text password is used to initialize the kerberos
keys in, for instance, libads/kerberos.c:ads_kinit_password() etc.

Cheers - Michael

> There are other reasons too - I worked on this code with tridge in it's
> very early days, and we just didn't know as much about Kerberos at the
> time. 
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100520/84ab5400/attachment.pgp>


More information about the samba-technical mailing list