[Samba] encryption algorithm used by samba ad

Tue Jun 21 21:48:50 UTC 2022

The AES passwords are stored in another attribute,
supplementalCredentials.  This has a complex internal structure to
store all the details for various password hashes. 
Andrew Bartlett
On Tue, 2022-06-21 at 18:43 -0300, Anderson Sampaio Mello wrote:
> First of all thanks for the time and information that Rowland and
> Andrew have given.
> 
> Sorry Rowland Penny,
> 
> But if I understand correctly, does active directory generate a hash
> for the user's password encoded in base64 and store it in the
> unicodepwd attribute?
> 
> Generating something like: RBzocx0swDcQmFFgSrbbVg==
> 
> I ask this because Andrew Bartlett replied that passwords can be
> stored in AES kerberos hash( AES128_HMAC_SHA1, AES256_HMAC_SHA1)
> based on SHA1.
> 
> That's why I got confused.
> 
> Em ter., 21 de jun. de 2022 às 17:26, Rowland Penny via samba <
> samba at lists.samba.org> escreveu:
> > On Tue, 2022-06-21 at 17:10 -0300, Anderson Sampaio Mello wrote:
> > 
> > > Hi Rowland Penny.
> > 
> > > 
> > 
> > > To find out if they are strong and if not, if you could make them
> > 
> > > stronger.
> > 
> > 
> > 
> > You could probably use the strongest algorithm on the planet, but
> > it
> > 
> > wouldn't be any good if your clients couldn't set it or use it.
> > 
> > Samba AD uses exactly the same setup as Windows AD, to be
> > compatible.
> > 
> > 
> > 
> > > Can you tell me what encryption algorithm is used to hash the
> > 
> > > password for active directory user and computer accounts?
> > 
> > 
> > 
> > It basically starts with a double quoted plain password base64
> > encoded,
> > 
> > stored in a users unicode attribute.
> > 
> > 
> > 
> > Rowland
> > 
> > 
> > 
> > 
> > 
> > 
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions