On Tue, 2022-06-21 at 17:10 -0300, Anderson Sampaio Mello wrote:> Hi Rowland Penny. > > To find out if they are strong and if not, if you could make them > stronger.You could probably use the strongest algorithm on the planet, but it wouldn't be any good if your clients couldn't set it or use it. Samba AD uses exactly the same setup as Windows AD, to be compatible.> Can you tell me what encryption algorithm is used to hash the > password for active directory user and computer accounts?It basically starts with a double quoted plain password base64 encoded, stored in a users unicode attribute. Rowland
Anderson Sampaio Mello
2022-Jun-21 21:43 UTC
[Samba] encryption algorithm used by samba ad
First of all thanks for the time and information that Rowland and Andrew have given. Sorry Rowland Penny, But if I understand correctly, does active directory generate a hash for the user's password encoded in base64 and store it in the unicodepwd attribute? Generating something like: RBzocx0swDcQmFFgSrbbVg= I ask this because Andrew Bartlett replied that passwords can be stored in AES kerberos hash( AES128_HMAC_SHA1, AES256_HMAC_SHA1) based on SHA1. That's why I got confused. Em ter., 21 de jun. de 2022 ?s 17:26, Rowland Penny via samba < samba at lists.samba.org> escreveu:> On Tue, 2022-06-21 at 17:10 -0300, Anderson Sampaio Mello wrote: > > Hi Rowland Penny. > > > > To find out if they are strong and if not, if you could make them > > stronger. > > You could probably use the strongest algorithm on the planet, but it > wouldn't be any good if your clients couldn't set it or use it. > Samba AD uses exactly the same setup as Windows AD, to be compatible. > > > Can you tell me what encryption algorithm is used to hash the > > password for active directory user and computer accounts? > > It basically starts with a double quoted plain password base64 encoded, > stored in a users unicode attribute. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 2022-06-21 at 21:25 +0100, Rowland Penny via samba wrote:> On Tue, 2022-06-21 at 17:10 -0300, Anderson Sampaio Mello wrote: > > Can you tell me what encryption algorithm is used to hash the > > password for active directory user and computer accounts? > > It basically starts with a double quoted plain password base64 > encoded, > stored in a users unicode attribute.Kia ora Rowland, Just a clarification on this, while that is the interface seen by users/administrators, that is just a way to present the password over LDAP. The algorithm for the NT hash (which is the weakest) is: MD4(UTF16-LE(password)) This is what is actually stored in unicodePwd for each user/computer. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions