samba - Aug 2015 - Proof of samba 4 ad storing passwords in a secure manner

On Tue, 2015-08-25 at 20:08 +0100, Rowland Penny wrote:
> On 25/08/15 19:42, Krutskikh Ivan wrote:
> > Hi everyone,
> > 
> > We are installing a big system which uses samba 4 ad dc. Our 
> > customer asked
> > if we can prove that passwords are stored securely in dc. How can 
> > we do in
> > in a most interactive way?
> > 
> > Thanks in advance!
> 
> Well you could ask them if they accept that windows AD stores 
> passwords 
> securely, if they do, you can then point out that Samba 4 AD stores 
> them 
> in exactly the same way.
> 
> The passwords are stored in a write only attribute i.e. you cannot 
> read 
> it over the wire, it is a 64bit unicode password, so I cannot really 
> tell you how to test it because, well you cannot :-)
> 
> You can read the password, but only by logging into the samba 4 AD DC 
> 
> and connecting directly to the sam.ldb file, you would then need to 
> crack the stored password and I am not entirely sure this is 
> possible.
This is a pretty good summary of the situation.  The passwords are as
secure as: 
 - The administrator passwords (because administrators can join new DCs
over the network, and so get the passwords)
 - The permissions and access control to the sam.ldb file

The only point I would make is that the attributes are password
-equvilent, and some values are unhashed, so they are as good as
plaintext passwords to an attacker.  

We do generally avoid printing them in logs, but be careful where you
send your logs to.

We also do not show these attributes, even when directly attached to
sam.ldb, by default in searches, for the same reason, to make mistakes
harder. 

I am interested in adding an extension to Samba to store a key
-encrypting-key in secrets.tdb (so that accidental disclosure of
sam.ldb would be less damaging), or to optionally use a hardware
encryption device, but these only impact offline attacks, online access
is required for the DC to operate.

I hope this clarifies things.

Andrew Bartlett


-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

Thanks, that helped me a lot =) But it doesn't seem that sam.ldb holds any
password data. I found something similar in file (my domain is NOVO.MTT)

/usr/local/samba/private/sam.ldb.d/DC=NOVO,DC=MTT.ldb

2015-08-26 5:30 GMT+03:00 Andrew Bartlett <abartlet at samba.org>:
> On Tue, 2015-08-25 at 20:08 +0100, Rowland Penny wrote:
> > On 25/08/15 19:42, Krutskikh Ivan wrote:
> > > Hi everyone,
> > >
> > > We are installing a big system which uses samba 4 ad dc. Our
> > > customer asked
> > > if we can prove that passwords are stored securely in dc. How can
> > > we do in
> > > in a most interactive way?
> > >
> > > Thanks in advance!
> >
> > Well you could ask them if they accept that windows AD stores
> > passwords
> > securely, if they do, you can then point out that Samba 4 AD stores
> > them
> > in exactly the same way.
> >
> > The passwords are stored in a write only attribute i.e. you cannot
> > read
> > it over the wire, it is a 64bit unicode password, so I cannot really
> > tell you how to test it because, well you cannot :-)
> >
> > You can read the password, but only by logging into the samba 4 AD DC
> >
> > and connecting directly to the sam.ldb file, you would then need to
> > crack the stored password and I am not entirely sure this is
> > possible.
>
> This is a pretty good summary of the situation.  The passwords are as
> secure as:
>  - The administrator passwords (because administrators can join new DCs
> over the network, and so get the passwords)
>  - The permissions and access control to the sam.ldb file
>
> The only point I would make is that the attributes are password
> -equvilent, and some values are unhashed, so they are as good as
> plaintext passwords to an attacker.
>
> We do generally avoid printing them in logs, but be careful where you
> send your logs to.
>
> We also do not show these attributes, even when directly attached to
> sam.ldb, by default in searches, for the same reason, to make mistakes
> harder.
>
> I am interested in adding an extension to Samba to store a key
> -encrypting-key in secrets.tdb (so that accidental disclosure of
> sam.ldb would be less damaging), or to optionally use a hardware
> encryption device, but these only impact offline attacks, online access
> is required for the DC to operate.
>
> I hope this clarifies things.
>
> Andrew Bartlett
>
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 26/08/15 11:15, Krutskikh Ivan wrote:
> Thanks, that helped me a lot =) But it doesn't seem that sam.ldb holds 
> any password data. I found something similar in file (my domain is 
> NOVO.MTT)
>
> /usr/local/samba/private/sam.ldb.d/DC=NOVO,DC=MTT.ldb
>
> 2015-08-26 5:30 GMT+03:00 Andrew Bartlett <abartlet at samba.org 
> <mailto:abartlet at samba.org>>:
>
>     On Tue, 2015-08-25 at 20:08 +0100, Rowland Penny wrote:
>     > On 25/08/15 19:42, Krutskikh Ivan wrote:
>     > > Hi everyone,
>     > >
>     > > We are installing a big system which uses samba 4 ad dc. Our
>     > > customer asked
>     > > if we can prove that passwords are stored securely in dc. How
can
>     > > we do in
>     > > in a most interactive way?
>     > >
>     > > Thanks in advance!
>     >
>     > Well you could ask them if they accept that windows AD stores
>     > passwords
>     > securely, if they do, you can then point out that Samba 4 AD
stores
>     > them
>     > in exactly the same way.
>     >
>     > The passwords are stored in a write only attribute i.e. you cannot
>     > read
>     > it over the wire, it is a 64bit unicode password, so I cannot
really
>     > tell you how to test it because, well you cannot :-)
>     >
>     > You can read the password, but only by logging into the samba 4
>     AD DC
>     >
>     > and connecting directly to the sam.ldb file, you would then need
to
>     > crack the stored password and I am not entirely sure this is
>     > possible.
>
>     This is a pretty good summary of the situation.  The passwords are as
>     secure as:
>      - The administrator passwords (because administrators can join
>     new DCs
>     over the network, and so get the passwords)
>      - The permissions and access control to the sam.ldb file
>
>     The only point I would make is that the attributes are password
>     -equvilent, and some values are unhashed, so they are as good as
>     plaintext passwords to an attacker.
>
>     We do generally avoid printing them in logs, but be careful where you
>     send your logs to.
>
>     We also do not show these attributes, even when directly attached to
>     sam.ldb, by default in searches, for the same reason, to make mistakes
>     harder.
>
>     I am interested in adding an extension to Samba to store a key
>     -encrypting-key in secrets.tdb (so that accidental disclosure of
>     sam.ldb would be less damaging), or to optionally use a hardware
>     encryption device, but these only impact offline attacks, online
>     access
>     is required for the DC to operate.
>
>     I hope this clarifies things.
>
>     Andrew Bartlett
>
>
>     --
>     Andrew Bartlett
>     https://samba.org/~abartlet/ <https://samba.org/%7Eabartlet/>
>     Authentication Developer, Samba Team https://samba.org
>     Samba Development and Support, Catalyst IT
>     https://catalyst.net.nz/services/samba
>
>
>
>
>
>
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
You have to explicitly ask for the 'unicodePwd' attribute, it isn't 
normally shown.

Rowland

On Wed, 2015-08-26 at 13:15 +0300, Krutskikh Ivan wrote:
> Thanks, that helped me a lot =) But it doesn't seem that sam.ldb 
> holds any password data. I found something similar in file (my domain 
> is NOVO.MTT) 
> 
> /usr/local/samba/private/sam.ldb.d/DC=NOVO,DC=MTT.ldb
Correct, the sam.ldb is a wrapper that loads modules which in turn
loads the other files, which actually contain the domain data.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba