[Samba] samba password hashes exposed to ldapsearch
Amin Al-Regan
reganaminal at gmail.com
Mon Jul 28 20:32:49 GMT 2008
After setting up Samba to work with an FDS LDAP server:
http://directory.fedoraproject.org/wiki/Howto:Samba
... I see that the samba password hashes are shown with a simple ldapsearch
command.
If you scroll to the bottom of the page linked above and see the search
results for:
ldapsearch -x -Z '(uid=testuser)'
You will see the hashes:
sambaLMPassword: CFA95C51F11AB11DC2265B23734E0DAC
sambaNTPassword: B2D88A4A9B0DAEE170E75F67D54918F6
This seems to be confidential information that you would not want
showing in a anonymous LDAP search.
... For the same reason you would not want open permissions on your shadow
password file.
I see that the userPassword hash is not shown in the example above. In my
tests, I only see this Unix password hash if I run ldapsearch as
"cn=Directory Manager".
Is there are way to also hide the Samba password hashes without breaking
Samba functionality? Say, by using some LDAP rights-management tool to
limit access to these attributes to certain accounts. Or does Samba require
these hashes to be generally readable?
--
Amin Al-Regan
More information about the samba
mailing list