After setting up Samba to work with an FDS LDAP server: http://directory.fedoraproject.org/wiki/Howto:Samba ... I see that the samba password hashes are shown with a simple ldapsearch command. If you scroll to the bottom of the page linked above and see the search results for: ldapsearch -x -Z '(uid=testuser)' You will see the hashes: sambaLMPassword: CFA95C51F11AB11DC2265B23734E0DAC sambaNTPassword: B2D88A4A9B0DAEE170E75F67D54918F6 This seems to be confidential information that you would not want showing in a anonymous LDAP search. ... For the same reason you would not want open permissions on your shadow password file. I see that the userPassword hash is not shown in the example above. In my tests, I only see this Unix password hash if I run ldapsearch as "cn=Directory Manager". Is there are way to also hide the Samba password hashes without breaking Samba functionality? Say, by using some LDAP rights-management tool to limit access to these attributes to certain accounts. Or does Samba require these hashes to be generally readable? -- Amin Al-Regan
On Mon, Jul 28, 2008 at 01:32:49PM -0700, Amin Al-Regan wrote:> Is there are way to also hide the Samba password hashes without breaking > Samba functionality? Say, by using some LDAP rights-management tool to > limit access to these attributes to certain accounts. Or does Samba require > these hashes to be generally readable?Samba itself needs to be able to read and write its password attributes, but nss_ldap does not need to see them at all. You should fix that wiki page and add the appropriate fds acl settings there. Thanks, Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080728/3a7243ae/attachment.bin
> Is there are way to also hide the Samba password hashes without breaking > Samba functionality? Say, by using some LDAP rights-management tool to > limit access to these attributes to certain accounts. Or does Samba require > these hashes to be generally readable?A properly configured LDAP server will not allow anything but the samba daemons to read windows hashes; they are plaintext password equivalent since they can be cracked quite trivially with freely downloadable tools. Do not send your password hashes over an unencrypted network connection, for the same reason. --Charlie
> ... I see that the samba password hashes are shown with a simple > ldapsearch command. ...I do not have this problem. My /etc/openldap/slapd.conf includes the lines at the end of this message. The passwords are not visible via ldapsearch, yet the Samba on the same machine can still access them (probably because it runs as "root"). (The lines also include a provision for syncrepl replication, which probably isn't relevant to Samba usage.) -Chuck Kollars ### set up some restrictions to not make passwords visible access to attrs=sambaLMPassword,sambaNTPassword,MMSNumber,userPassword by dn.exact="cn=ReplicateUser,dc=ipswichschools,dc=org" read by * auth # Default read access to everything else # (should be last to act as "default") # (not optional - without this it doesn't work right) access to * by * read
Thanks for all your help. Several people replied with good advice. I have found out how to hide the Samba hashes from anonymous access and have modified the FDS wiki to show the procedure. On Mon, Jul 28, 2008 at 4:59 PM, Charlie <> wrote:> A properly configured LDAP server will not allow anything but the > samba daemons to read windows hashes; they are plaintext password > equivalent since they can be cracked quite trivially with freely > downloadable tools. >-- Amin Al-Regani