[Samba] Proof of samba 4 ad storing passwords in a secure manner
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Aug 25 19:08:17 UTC 2015
On 25/08/15 19:42, Krutskikh Ivan wrote:
> Hi everyone,
>
> We are installing a big system which uses samba 4 ad dc. Our customer asked
> if we can prove that passwords are stored securely in dc. How can we do in
> in a most interactive way?
>
> Thanks in advance!
Well you could ask them if they accept that windows AD stores passwords
securely, if they do, you can then point out that Samba 4 AD stores them
in exactly the same way.
The passwords are stored in a write only attribute i.e. you cannot read
it over the wire, it is a 64bit unicode password, so I cannot really
tell you how to test it because, well you cannot :-)
You can read the password, but only by logging into the samba 4 AD DC
and connecting directly to the sam.ldb file, you would then need to
crack the stored password and I am not entirely sure this is possible.
Rowland
More information about the samba
mailing list