[Samba] getting rid of lmhashes?
Mark Proehl
M.Proehl at science-computing.de
Thu Mar 2 20:21:40 GMT 2006
Hi Jerry,
thanks for your reply.
On Thu, Mar 02, 2006 at 11:17:58AM -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark Proehl wrote:
> > Hi,
> >
> > is there a way of disabling the creation of the (insecure) lm-hash in
> > the passdb backend of a samba3-pdc?
>
> IIRC setting 'lanman auth = no' might do this. Or
> alternatively just enforce password length > 14 characters.
>
i've already tried 'lanman auth = no'. But the lm hashes still exist
in my backend, and are modified by user password changes. here is an example:
myhost:~ # testparm -sv | grep lanman
Load smb config files from /usr/local/samba/lib/smb.conf
Processing section "[homes]"
Loaded services file OK.
WARNING: passdb expand explicit = yes is deprecated
Server role: ROLE_DOMAIN_PDC
lanman auth = No
client lanman auth = No
myhost:~ # smbpasswd -U mark
New SMB password: [qwert]
Retype new SMB password: [qwert]
myhost:~ #
mark at myhost:~> ldapsearch -LLL uid=mark sambaLMPassword sambaNTPassword
SASL/GSSAPI authentication started
SASL username: mark at EXAMPLE.COM
SASL SSF: 56
SASL installing layers
dn: uid=mark,ou=people,dc=example,dc=com
sambaLMPassword: 5422A4CDB0F1C794AAD3B435B51404EE
sambaNTPassword: BB8DEE57B13255F1AA58846079D98447
mark at myhost:~>
mark at myhost:~> smbpasswd
Old SMB password: [qwert]
New SMB password: [qwert123]
Retype new SMB password: [qwert123]
Password changed for user mark
mark at myhost:~>
mark at myhost:~> ldapsearch -LLL uid=mark sambaLMPassword sambaNTPassword
SASL/GSSAPI authentication started
SASL username: mark at EXAMPLE.COM
SASL SSF: 56
SASL installing layers
dn: uid=mark,ou=people,dc=example,dc=com
sambaLMPassword: 3E21EA326BDFFA1C1AA818381E4E281B
sambaNTPassword: 02DD45A60E87ED15BA143B2A95A3D5DF
mark at myhost:~>
As you see, both ntlm and lm hash are modified after the user password
change.
I am aware, that both hashes are equivalent to clear text passwords
and must be protected therefore. But cracking passwords with tools
like john is much faster, if the lm hashes are available, so i think
there should be an option to disable them.
Mark
More information about the samba
mailing list