[Samba] Proof of samba 4 ad storing passwords in a secure manner

Krutskikh Ivan stein.hak at gmail.com
Wed Aug 26 10:15:37 UTC 2015 

Thanks, that helped me a lot =) But it doesn't seem that sam.ldb holds any
password data. I found something similar in file (my domain is NOVO.MTT)

/usr/local/samba/private/sam.ldb.d/DC=NOVO,DC=MTT.ldb

2015-08-26 5:30 GMT+03:00 Andrew Bartlett <abartlet at samba.org>:

> On Tue, 2015-08-25 at 20:08 +0100, Rowland Penny wrote:
> > On 25/08/15 19:42, Krutskikh Ivan wrote:
> > > Hi everyone,
> > >
> > > We are installing a big system which uses samba 4 ad dc. Our
> > > customer asked
> > > if we can prove that passwords are stored securely in dc. How can
> > > we do in
> > > in a most interactive way?
> > >
> > > Thanks in advance!
> >
> > Well you could ask them if they accept that windows AD stores
> > passwords
> > securely, if they do, you can then point out that Samba 4 AD stores
> > them
> > in exactly the same way.
> >
> > The passwords are stored in a write only attribute i.e. you cannot
> > read
> > it over the wire, it is a 64bit unicode password, so I cannot really
> > tell you how to test it because, well you cannot :-)
> >
> > You can read the password, but only by logging into the samba 4 AD DC
> >
> > and connecting directly to the sam.ldb file, you would then need to
> > crack the stored password and I am not entirely sure this is
> > possible.
>
> This is a pretty good summary of the situation.  The passwords are as
> secure as:
>  - The administrator passwords (because administrators can join new DCs
> over the network, and so get the passwords)
>  - The permissions and access control to the sam.ldb file
>
> The only point I would make is that the attributes are password
> -equvilent, and some values are unhashed, so they are as good as
> plaintext passwords to an attacker.
>
> We do generally avoid printing them in logs, but be careful where you
> send your logs to.
>
> We also do not show these attributes, even when directly attached to
> sam.ldb, by default in searches, for the same reason, to make mistakes
> harder.
>
> I am interested in adding an extension to Samba to store a key
> -encrypting-key in secrets.tdb (so that accidental disclosure of
> sam.ldb would be less damaging), or to optionally use a hardware
> encryption device, but these only impact offline attacks, online access
> is required for the DC to operate.
>
> I hope this clarifies things.
>
> Andrew Bartlett
>
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list