[Samba] samba password hashes exposed to ldapsearch
reganaminal at gmail.com
Mon Jul 28 20:32:49 GMT 2008
After setting up Samba to work with an FDS LDAP server:
... I see that the samba password hashes are shown with a simple ldapsearch
If you scroll to the bottom of the page linked above and see the search
ldapsearch -x -Z '(uid=testuser)'
You will see the hashes:
This seems to be confidential information that you would not want
showing in a anonymous LDAP search.
... For the same reason you would not want open permissions on your shadow
I see that the userPassword hash is not shown in the example above. In my
tests, I only see this Unix password hash if I run ldapsearch as
Is there are way to also hide the Samba password hashes without breaking
Samba functionality? Say, by using some LDAP rights-management tool to
limit access to these attributes to certain accounts. Or does Samba require
these hashes to be generally readable?
More information about the samba