[Samba] Being able to read password hashes

Jefferson Davis jdavis at standard.k12.ca.us
Mon Jul 21 18:35:34 MDT 2014

So, bottom line, ldapsearch (from openldap) won't work even if accessed from the DC? 

oy. I get it's a microsofty security "feature" but in my mind admin is ADMIN. aka root. aka do what I say and don't ask questions. 

So we would HAVE to use ldbsearch on the local server ONLY for such things? 

FWIW I am not looking to retrieve and decrypt passwords, just save the hashes into an LDIF to re-apply to the user's account. 

Thanks for the info, hope I can figure this out. When I told my techs the password save/restore scripts would not work anymore there was much pouting and gnashing of teeth. 

----- Original Message -----

From: "Andrew Bartlett" <abartlet at samba.org> 
To: "gaiseric vandal" <gaiseric.vandal at gmail.com> 
Cc: samba at lists.samba.org 
Sent: Monday, July 21, 2014 4:32:10 PM 
Subject: Re: [Samba] Being able to read password hashes 

On Mon, 2014-07-21 at 13:38 -0400, Gaiseric Vandal wrote: 
> Is the concern here that unauthorized users can get the password hashes 
> and therefore decrypt them? Or is the concern that they might be 
> sniffed over the network somehow? 
> I would guess that no matter what system you use , a sysadmin will have 
> the ability to get the password hashes from the server. 

We don't allow access to this over the network, but these keys are 
stored in the local ldb files, for use in authentication. That is why 
your sam.ldb.d directory should be mode 0700. 

Andrew Bartlett 

Andrew Bartlett 
Authentication Developer, Samba Team http://samba.org 
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba 

To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 


Jefferson K Davis 
Technology and Information Systems Manager 
Standard School District 
1200 North Chester Ave 
Bakersfield, CA 93308 
661.392.2110 ext 120 (office) 

District Users: Click here to report technology issues 

More information about the samba mailing list