[Samba] encryption algorithm used by samba ad
Andrew Bartlett
abartlet at samba.org
Tue Jun 21 19:48:53 UTC 2022
On Tue, 2022-06-21 at 16:33 -0300, Anderson Sampaio Mello via samba
wrote:
> Hello samba team.
>
> Do you know what is the encryption algorithm used by the samba ad to
> store
> the passwords for user accounts and computers in the samba4 active
> directory?
>
> Is it possible to replace the algorithm with another one?
The least secure algorithm is currently unsalted MD4 - the NT hash. I
have an outstanding merge request currently awaiting final approval to
allow this to be disabled for user accounts.
https://gitlab.com/samba-team/samba/-/merge_requests/2437
We can also optionally store (for comparability and password sync) a
crypt() style hash.
We always store the AES kerberos hashes, based on PKDF2 iterated sha1
of the password (AES128_HMAC_SHA1, AES256_HMAC_SHA1).
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list