[Samba] Proof of samba 4 ad storing passwords in a secure manner

Andrew Bartlett abartlet at samba.org
Wed Aug 26 02:30:55 UTC 2015 

On Tue, 2015-08-25 at 20:08 +0100, Rowland Penny wrote:
> On 25/08/15 19:42, Krutskikh Ivan wrote:
> > Hi everyone,
> > 
> > We are installing a big system which uses samba 4 ad dc. Our 
> > customer asked
> > if we can prove that passwords are stored securely in dc. How can 
> > we do in
> > in a most interactive way?
> > 
> > Thanks in advance!
> 
> Well you could ask them if they accept that windows AD stores 
> passwords 
> securely, if they do, you can then point out that Samba 4 AD stores 
> them 
> in exactly the same way.
> 
> The passwords are stored in a write only attribute i.e. you cannot 
> read 
> it over the wire, it is a 64bit unicode password, so I cannot really 
> tell you how to test it because, well you cannot :-)
> 
> You can read the password, but only by logging into the samba 4 AD DC 
> 
> and connecting directly to the sam.ldb file, you would then need to 
> crack the stored password and I am not entirely sure this is 
> possible.

This is a pretty good summary of the situation.  The passwords are as
secure as: 
 - The administrator passwords (because administrators can join new DCs
over the network, and so get the passwords)
 - The permissions and access control to the sam.ldb file

The only point I would make is that the attributes are password
-equvilent, and some values are unhashed, so they are as good as
plaintext passwords to an attacker.  

We do generally avoid printing them in logs, but be careful where you
send your logs to.

We also do not show these attributes, even when directly attached to
sam.ldb, by default in searches, for the same reason, to make mistakes
harder. 

I am interested in adding an extension to Samba to store a key
-encrypting-key in secrets.tdb (so that accidental disclosure of
sam.ldb would be less damaging), or to optionally use a hardware
encryption device, but these only impact offline attacks, online access
is required for the DC to operate.

I hope this clarifies things.

Andrew Bartlett


-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba mailing list