samba - Aug 2015 - Proof of samba 4 ad storing passwords in a secure manner

Hi everyone,

We are installing a big system which uses samba 4 ad dc. Our customer asked
if we can prove that passwords are stored securely in dc. How can we do in
in a most interactive way?

Thanks in advance!

On 25/08/15 19:42, Krutskikh Ivan wrote:
> Hi everyone,
>
> We are installing a big system which uses samba 4 ad dc. Our customer asked
> if we can prove that passwords are stored securely in dc. How can we do in
> in a most interactive way?
>
> Thanks in advance!
Well you could ask them if they accept that windows AD stores passwords 
securely, if they do, you can then point out that Samba 4 AD stores them 
in exactly the same way.

The passwords are stored in a write only attribute i.e. you cannot read 
it over the wire, it is a 64bit unicode password, so I cannot really 
tell you how to test it because, well you cannot :-)

You can read the password, but only by logging into the samba 4 AD DC 
and connecting directly to the sam.ldb file, you would then need to 
crack the stored password and I am not entirely sure this is possible.

Rowland

On Tue, 2015-08-25 at 20:08 +0100, Rowland Penny wrote:
> On 25/08/15 19:42, Krutskikh Ivan wrote:
> > Hi everyone,
> > 
> > We are installing a big system which uses samba 4 ad dc. Our 
> > customer asked
> > if we can prove that passwords are stored securely in dc. How can 
> > we do in
> > in a most interactive way?
> > 
> > Thanks in advance!
> 
> Well you could ask them if they accept that windows AD stores 
> passwords 
> securely, if they do, you can then point out that Samba 4 AD stores 
> them 
> in exactly the same way.
> 
> The passwords are stored in a write only attribute i.e. you cannot 
> read 
> it over the wire, it is a 64bit unicode password, so I cannot really 
> tell you how to test it because, well you cannot :-)
> 
> You can read the password, but only by logging into the samba 4 AD DC 
> 
> and connecting directly to the sam.ldb file, you would then need to 
> crack the stored password and I am not entirely sure this is 
> possible.
This is a pretty good summary of the situation.  The passwords are as
secure as: 
 - The administrator passwords (because administrators can join new DCs
over the network, and so get the passwords)
 - The permissions and access control to the sam.ldb file

The only point I would make is that the attributes are password
-equvilent, and some values are unhashed, so they are as good as
plaintext passwords to an attacker.  

We do generally avoid printing them in logs, but be careful where you
send your logs to.

We also do not show these attributes, even when directly attached to
sam.ldb, by default in searches, for the same reason, to make mistakes
harder. 

I am interested in adding an extension to Samba to store a key
-encrypting-key in secrets.tdb (so that accidental disclosure of
sam.ldb would be less damaging), or to optionally use a hardware
encryption device, but these only impact offline attacks, online access
is required for the DC to operate.

I hope this clarifies things.

Andrew Bartlett


-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba