samba - Jun 2022 - encryption algorithm used by samba ad

Hello samba team.

Do you know what is the encryption algorithm used by the samba ad to store
the passwords for user accounts and computers in the samba4 active
directory?

Is it possible to replace the algorithm with another one?

On Tue, 2022-06-21 at 16:33 -0300, Anderson Sampaio Mello via samba
wrote:
> Hello samba team.
> 
> Do you know what is the encryption algorithm used by the samba ad to
> store
> the passwords for user accounts and computers in the samba4 active
> directory?
Yes, why do want to know ?
> 
> Is it possible to replace the algorithm with another one?
No

Rowland

On Tue, 2022-06-21 at 16:33 -0300, Anderson Sampaio Mello via samba
wrote:
> Hello samba team.
> 
> Do you know what is the encryption algorithm used by the samba ad to
> store
> the passwords for user accounts and computers in the samba4 active
> directory?
> 
> Is it possible to replace the algorithm with another one?
The least secure algorithm is currently unsalted MD4 - the NT hash.  I
have an outstanding merge request currently awaiting final approval to
allow this to be disabled for user accounts. 

https://gitlab.com/samba-team/samba/-/merge_requests/2437

We can also optionally store (for comparability and password sync) a
crypt() style hash.

We always store the AES kerberos hashes, based on PKDF2 iterated sha1
of the password (AES128_HMAC_SHA1, AES256_HMAC_SHA1).

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions