About SECRETS_MACHINE_ACCT_PASS and passwords in secrets

Matthieu Patou mat at samba.org
Thu May 20 08:49:57 MDT 2010 


"Michael Adam" <obnox at samba.org> wrote:

>Hi Mathieu,
>
>Andrew was quicker to answer, :-) , but here are some additional comments
>with pointers into the code:
>
>Andrew Bartlett wrote:
>> On Thu, 2010-05-20 at 09:12 +0400, Matthieu Patou wrote:
>> > Hello,
>> > 
>> > While digging into samba 3.x code I found this variable with the 
>> > following comment
>> > /* the first one is for the hashed password (NT4 style) the latter
>> >     for plaintext (ADS)
>> > */
>> > The second variable is SECRETS_MACHINE_PASSWORD.
>> > 
>> > My first question is: it seems that the variable  
>> > SECRETS_MACHINE_ACCT_PASS is not used anymore why not removing it or at trust_keystr. Which indeed is used for legacy stuff.
>> > least as clear comment.
>
>Well, it is actually used in passdb/machine_account_secrets.c in
>the function machine_password_keystr(), so we could not remove it
>just like that.
>
Are you sure for it looks like it is in 
>> Yes, only very old legacy databases would have the hashed version these
>> days. 
>> 
>> > Second question is: are we storing password in clear in secrets.ldb ?
>> > If so why ? can't we store the hashed version ?
>> 
>> We can't just store the hashed version unless we know the correct
>> hashing and all the kerberos encryption types we expect to use at join
>> time.  
>> 
>> In the end, it's no less secure and easier to just store the plaintext -
>> it allows us to figure the rest out later. 
>
>Right, the plain text password is used to initialize the kerberos
>keys in, for instance, libads/kerberos.c:ads_kinit_password() etc.
>
>Cheers - Michael
>
>> There are other reasons too - I worked on this code with tridge in it's
>> very early days, and we just didn't know as much about Kerberos at the
>> time. 
>> 
>> Andrew Bartlett
>> 
>> -- 
>> Andrew Bartlett                                http://samba.org/~abartlet/
>> Authentication Developer, Samba Team           http://samba.org
>> Samba Developer, Cisco Inc.
>

Samba team.   http://samba.org

More information about the samba-technical mailing list