About SECRETS_MACHINE_ACCT_PASS and passwords in secrets
obnox at samba.org
Thu May 20 02:20:58 MDT 2010
Andrew was quicker to answer, :-) , but here are some additional comments
with pointers into the code:
Andrew Bartlett wrote:
> On Thu, 2010-05-20 at 09:12 +0400, Matthieu Patou wrote:
> > Hello,
> > While digging into samba 3.x code I found this variable with the
> > following comment
> > /* the first one is for the hashed password (NT4 style) the latter
> > for plaintext (ADS)
> > */
> > The second variable is SECRETS_MACHINE_PASSWORD.
> > My first question is: it seems that the variable
> > SECRETS_MACHINE_ACCT_PASS is not used anymore why not removing it or at
> > least as clear comment.
Well, it is actually used in passdb/machine_account_secrets.c in
the function machine_password_keystr(), so we could not remove it
just like that.
> Yes, only very old legacy databases would have the hashed version these
> > Second question is: are we storing password in clear in secrets.ldb ?
> > If so why ? can't we store the hashed version ?
> We can't just store the hashed version unless we know the correct
> hashing and all the kerberos encryption types we expect to use at join
> In the end, it's no less secure and easier to just store the plaintext -
> it allows us to figure the rest out later.
Right, the plain text password is used to initialize the kerberos
keys in, for instance, libads/kerberos.c:ads_kinit_password() etc.
Cheers - Michael
> There are other reasons too - I worked on this code with tridge in it's
> very early days, and we just didn't know as much about Kerberos at the
> Andrew Bartlett
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 206 bytes
Desc: not available
More information about the samba-technical