[Samba] samba password hashes exposed to ldapsearch

Amin Al-Regan reganaminal at gmail.com
Mon Jul 28 20:32:49 GMT 2008

After setting up Samba to work with an FDS LDAP server:

... I see that the samba password hashes are shown with a simple ldapsearch

If you scroll to the bottom of the page linked above and see the search
results for:

ldapsearch -x -Z '(uid=testuser)'

You will see the hashes:

sambaLMPassword: CFA95C51F11AB11DC2265B23734E0DAC
sambaNTPassword: B2D88A4A9B0DAEE170E75F67D54918F6

This seems to be confidential information that you would not want
showing in a anonymous LDAP search.

... For the same reason you would not want open permissions on your shadow
password file.

I see that the userPassword hash is not shown in the example above.  In my
tests, I only see this Unix password hash if I run ldapsearch as
"cn=Directory Manager".

Is there are way to also hide the Samba password hashes without breaking
Samba functionality?  Say, by using some LDAP rights-management tool to
limit access to these attributes to certain accounts.  Or does Samba require
these hashes to be generally readable?

Amin Al-Regan

More information about the samba mailing list