Krutskikh Ivan
2015-Aug-25 18:42 UTC
[Samba] Proof of samba 4 ad storing passwords in a secure manner
Hi everyone, We are installing a big system which uses samba 4 ad dc. Our customer asked if we can prove that passwords are stored securely in dc. How can we do in in a most interactive way? Thanks in advance!
Rowland Penny
2015-Aug-25 19:08 UTC
[Samba] Proof of samba 4 ad storing passwords in a secure manner
On 25/08/15 19:42, Krutskikh Ivan wrote:> Hi everyone, > > We are installing a big system which uses samba 4 ad dc. Our customer asked > if we can prove that passwords are stored securely in dc. How can we do in > in a most interactive way? > > Thanks in advance!Well you could ask them if they accept that windows AD stores passwords securely, if they do, you can then point out that Samba 4 AD stores them in exactly the same way. The passwords are stored in a write only attribute i.e. you cannot read it over the wire, it is a 64bit unicode password, so I cannot really tell you how to test it because, well you cannot :-) You can read the password, but only by logging into the samba 4 AD DC and connecting directly to the sam.ldb file, you would then need to crack the stored password and I am not entirely sure this is possible. Rowland
Andrew Bartlett
2015-Aug-26 02:30 UTC
[Samba] Proof of samba 4 ad storing passwords in a secure manner
On Tue, 2015-08-25 at 20:08 +0100, Rowland Penny wrote:> On 25/08/15 19:42, Krutskikh Ivan wrote: > > Hi everyone, > > > > We are installing a big system which uses samba 4 ad dc. Our > > customer asked > > if we can prove that passwords are stored securely in dc. How can > > we do in > > in a most interactive way? > > > > Thanks in advance! > > Well you could ask them if they accept that windows AD stores > passwords > securely, if they do, you can then point out that Samba 4 AD stores > them > in exactly the same way. > > The passwords are stored in a write only attribute i.e. you cannot > read > it over the wire, it is a 64bit unicode password, so I cannot really > tell you how to test it because, well you cannot :-) > > You can read the password, but only by logging into the samba 4 AD DC > > and connecting directly to the sam.ldb file, you would then need to > crack the stored password and I am not entirely sure this is > possible.This is a pretty good summary of the situation. The passwords are as secure as: - The administrator passwords (because administrators can join new DCs over the network, and so get the passwords) - The permissions and access control to the sam.ldb file The only point I would make is that the attributes are password -equvilent, and some values are unhashed, so they are as good as plaintext passwords to an attacker. We do generally avoid printing them in logs, but be careful where you send your logs to. We also do not show these attributes, even when directly attached to sam.ldb, by default in searches, for the same reason, to make mistakes harder. I am interested in adding an extension to Samba to store a key -encrypting-key in secrets.tdb (so that accidental disclosure of sam.ldb would be less damaging), or to optionally use a hardware encryption device, but these only impact offline attacks, online access is required for the DC to operate. I hope this clarifies things. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba