samba - Nov 2021 - Password Storage on Samba Primary Domain Controller

I've built a Samba PDC using the instructions at
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
and
have had great success using it in an enterprise setting.

As a part of a compliance audit I need to articulate clearly the password
encryption mechanism of my domain controller.  Is there reference
documentation on how user passwords are stored in a PDC configuration?
(Note: I used the term 'stored' but am assuming some type of salting,
hashing, etc. mechanism is actually used.)

Thanks,
Joe

On Tue, 2021-11-09 at 13:25 -0600, Joseph Bell via samba
wrote:
> I've built a Samba PDC using the instructions at
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> and
> have had great success using it in an enterprise setting.
> 
> As a part of a compliance audit I need to articulate clearly the
> password
> encryption mechanism of my domain controller.  Is there reference
> documentation on how user passwords are stored in a PDC
> configuration?
> (Note: I used the term 'stored' but am assuming some type of
salting,
> hashing, etc. mechanism is actually used.)
It is pretty bad.  MD4(UTF-16(password))

yes, no salt.  This matches Windows, for better or worse. 

There are other methods in use, but in this case the weakest link
matter most.

We do encrypt it at rest, but the key is kept next to the DB (you are
welcome to somehow provision that at each boot if you link, mostly we
do that as a defence against in-memory or search expression attacks). 

I do have a work item to remove this for users, but it will break
NTLM. 

I don't have a a timeframe for that right now, but it has been
promised.

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions