About SECRETS_MACHINE_ACCT_PASS and passwords in secrets
mat at samba.org
Thu May 20 08:49:57 MDT 2010
"Michael Adam" <obnox at samba.org> wrote:
>Andrew was quicker to answer, :-) , but here are some additional comments
>with pointers into the code:
>Andrew Bartlett wrote:
>> On Thu, 2010-05-20 at 09:12 +0400, Matthieu Patou wrote:
>> > Hello,
>> > While digging into samba 3.x code I found this variable with the
>> > following comment
>> > /* the first one is for the hashed password (NT4 style) the latter
>> > for plaintext (ADS)
>> > */
>> > The second variable is SECRETS_MACHINE_PASSWORD.
>> > My first question is: it seems that the variable
>> > SECRETS_MACHINE_ACCT_PASS is not used anymore why not removing it or at trust_keystr. Which indeed is used for legacy stuff.
>> > least as clear comment.
>Well, it is actually used in passdb/machine_account_secrets.c in
>the function machine_password_keystr(), so we could not remove it
>just like that.
Are you sure for it looks like it is in
>> Yes, only very old legacy databases would have the hashed version these
>> > Second question is: are we storing password in clear in secrets.ldb ?
>> > If so why ? can't we store the hashed version ?
>> We can't just store the hashed version unless we know the correct
>> hashing and all the kerberos encryption types we expect to use at join
>> In the end, it's no less secure and easier to just store the plaintext -
>> it allows us to figure the rest out later.
>Right, the plain text password is used to initialize the kerberos
>keys in, for instance, libads/kerberos.c:ads_kinit_password() etc.
>Cheers - Michael
>> There are other reasons too - I worked on this code with tridge in it's
>> very early days, and we just didn't know as much about Kerberos at the
>> Andrew Bartlett
>> Andrew Bartlett http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>> Samba Developer, Cisco Inc.
Samba team. http://samba.org
More information about the samba-technical