[Samba] Proof of samba 4 ad storing passwords in a secure manner
stein.hak at gmail.com
Wed Aug 26 10:15:37 UTC 2015
Thanks, that helped me a lot =) But it doesn't seem that sam.ldb holds any
password data. I found something similar in file (my domain is NOVO.MTT)
2015-08-26 5:30 GMT+03:00 Andrew Bartlett <abartlet at samba.org>:
> On Tue, 2015-08-25 at 20:08 +0100, Rowland Penny wrote:
> > On 25/08/15 19:42, Krutskikh Ivan wrote:
> > > Hi everyone,
> > >
> > > We are installing a big system which uses samba 4 ad dc. Our
> > > customer asked
> > > if we can prove that passwords are stored securely in dc. How can
> > > we do in
> > > in a most interactive way?
> > >
> > > Thanks in advance!
> > Well you could ask them if they accept that windows AD stores
> > passwords
> > securely, if they do, you can then point out that Samba 4 AD stores
> > them
> > in exactly the same way.
> > The passwords are stored in a write only attribute i.e. you cannot
> > read
> > it over the wire, it is a 64bit unicode password, so I cannot really
> > tell you how to test it because, well you cannot :-)
> > You can read the password, but only by logging into the samba 4 AD DC
> > and connecting directly to the sam.ldb file, you would then need to
> > crack the stored password and I am not entirely sure this is
> > possible.
> This is a pretty good summary of the situation. The passwords are as
> secure as:
> - The administrator passwords (because administrators can join new DCs
> over the network, and so get the passwords)
> - The permissions and access control to the sam.ldb file
> The only point I would make is that the attributes are password
> -equvilent, and some values are unhashed, so they are as good as
> plaintext passwords to an attacker.
> We do generally avoid printing them in logs, but be careful where you
> send your logs to.
> We also do not show these attributes, even when directly attached to
> sam.ldb, by default in searches, for the same reason, to make mistakes
> I am interested in adding an extension to Samba to store a key
> -encrypting-key in secrets.tdb (so that accidental disclosure of
> sam.ldb would be less damaging), or to optionally use a hardware
> encryption device, but these only impact offline attacks, online access
> is required for the DC to operate.
> I hope this clarifies things.
> Andrew Bartlett
> Andrew Bartlett
> Authentication Developer, Samba Team https://samba.org
> Samba Development and Support, Catalyst IT
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba