[Patches] Fixes for machine password problems [bug #12262]
abartlet at samba.org
Sun Feb 26 03:04:35 UTC 2017
On Mon, 2017-02-20 at 20:08 +0100, Stefan Metzmacher wrote:
> here's some patches to fix problem with the random passwords
> winbindd sets every week (by default).
> In Samba 4.2 we only used ascii passwords, but with 4.3
> we're using random unicode passwords. This causes
> a lot of trouble if someone uses "unix charset != utf8".
> But also with unix charset = utf8 it can sometimes happen
> that kerberos authentication start to fail if
> the password uses code points > 0xffff.
> Please review and push:-)
This is a really good patch set, and I'm sorry I didn't notice until I
wondered 'what are all these patches being backported?'. I really like
the care taken to research NT4 and the improvement to our security by
bumping up the password length.
Now we have this all sorted out, we should have winbindd rotate the DC
password weekly as well, as currently this is forced off.
> PS: As future improvement we could calculate the
> ENCTYPE_ARCFOUR_HMAC in smb_krb5_create_key_from_string()
> ourself using E_md4hash(). In the long run we may also
> store the precalculated hashes when we change the password
> and then use them for the servers in memory keytab
> and as a client use this in memory keytab for kinit,
> then we could use true random utf16 buffers like microsoft.
Even if we don't change how we generate them, we should be using pre-
calculated hashes for the in-memory keytab, as the time spent running
millions of SHA1 before very connection for the AES keys is a real
waste. (We can checksum them by ensuring the MD4 enctype matches the
string, as MD4 is cheap).
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical