[Samba] Being able to read password hashes
jdavis at standard.k12.ca.us
Mon Jul 21 18:35:34 MDT 2014
So, bottom line, ldapsearch (from openldap) won't work even if accessed from the DC?
oy. I get it's a microsofty security "feature" but in my mind admin is ADMIN. aka root. aka do what I say and don't ask questions.
So we would HAVE to use ldbsearch on the local server ONLY for such things?
FWIW I am not looking to retrieve and decrypt passwords, just save the hashes into an LDIF to re-apply to the user's account.
Thanks for the info, hope I can figure this out. When I told my techs the password save/restore scripts would not work anymore there was much pouting and gnashing of teeth.
----- Original Message -----
From: "Andrew Bartlett" <abartlet at samba.org>
To: "gaiseric vandal" <gaiseric.vandal at gmail.com>
Cc: samba at lists.samba.org
Sent: Monday, July 21, 2014 4:32:10 PM
Subject: Re: [Samba] Being able to read password hashes
On Mon, 2014-07-21 at 13:38 -0400, Gaiseric Vandal wrote:
> Is the concern here that unauthorized users can get the password hashes
> and therefore decrypt them? Or is the concern that they might be
> sniffed over the network somehow?
> I would guess that no matter what system you use , a sysadmin will have
> the ability to get the password hashes from the server.
We don't allow access to this over the network, but these keys are
stored in the local ldb files, for use in authentication. That is why
your sam.ldb.d directory should be mode 0700.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
To unsubscribe from this list go to the following URL and read the
Jefferson K Davis
Technology and Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
661.392.2110 ext 120 (office)
District Users: Click here to report technology issues
More information about the samba