[Samba] Proof of samba 4 ad storing passwords in a secure manner

Rowland Penny rowlandpenny241155 at gmail.com
Tue Aug 25 19:08:17 UTC 2015

On 25/08/15 19:42, Krutskikh Ivan wrote:
> Hi everyone,
> We are installing a big system which uses samba 4 ad dc. Our customer asked
> if we can prove that passwords are stored securely in dc. How can we do in
> in a most interactive way?
> Thanks in advance!

Well you could ask them if they accept that windows AD stores passwords 
securely, if they do, you can then point out that Samba 4 AD stores them 
in exactly the same way.

The passwords are stored in a write only attribute i.e. you cannot read 
it over the wire, it is a 64bit unicode password, so I cannot really 
tell you how to test it because, well you cannot :-)

You can read the password, but only by logging into the samba 4 AD DC 
and connecting directly to the sam.ldb file, you would then need to 
crack the stored password and I am not entirely sure this is possible.


More information about the samba mailing list