Joseph Bell
2021-Nov-09 19:25 UTC
[Samba] Password Storage on Samba Primary Domain Controller
I've built a Samba PDC using the instructions at https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller and have had great success using it in an enterprise setting. As a part of a compliance audit I need to articulate clearly the password encryption mechanism of my domain controller. Is there reference documentation on how user passwords are stored in a PDC configuration? (Note: I used the term 'stored' but am assuming some type of salting, hashing, etc. mechanism is actually used.) Thanks, Joe
Andrew Bartlett
2021-Nov-09 19:30 UTC
[Samba] Password Storage on Samba Primary Domain Controller
On Tue, 2021-11-09 at 13:25 -0600, Joseph Bell via samba wrote:> I've built a Samba PDC using the instructions at > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > and > have had great success using it in an enterprise setting. > > As a part of a compliance audit I need to articulate clearly the > password > encryption mechanism of my domain controller. Is there reference > documentation on how user passwords are stored in a PDC > configuration? > (Note: I used the term 'stored' but am assuming some type of salting, > hashing, etc. mechanism is actually used.)It is pretty bad. MD4(UTF-16(password)) yes, no salt. This matches Windows, for better or worse. There are other methods in use, but in this case the weakest link matter most. We do encrypt it at rest, but the key is kept next to the DB (you are welcome to somehow provision that at each boot if you link, mostly we do that as a defence against in-memory or search expression attacks). I do have a work item to remove this for users, but it will break NTLM. I don't have a a timeframe for that right now, but it has been promised. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions