[Samba] encryption algorithm used by samba ad

Andrew Bartlett abartlet at samba.org
Tue Jun 21 19:48:53 UTC 2022

On Tue, 2022-06-21 at 16:33 -0300, Anderson Sampaio Mello via samba
> Hello samba team.
> Do you know what is the encryption algorithm used by the samba ad to
> store
> the passwords for user accounts and computers in the samba4 active
> directory?
> Is it possible to replace the algorithm with another one?

The least secure algorithm is currently unsalted MD4 - the NT hash.  I
have an outstanding merge request currently awaiting final approval to
allow this to be disabled for user accounts. 


We can also optionally store (for comparability and password sync) a
crypt() style hash.

We always store the AES kerberos hashes, based on PKDF2 iterated sha1
of the password (AES128_HMAC_SHA1, AES256_HMAC_SHA1).

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list