Bug 10740 - The unicodePwd LDAP encryption restrictions are not applied
Summary: The unicodePwd LDAP encryption restrictions are not applied
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.7
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2014-07-24 09:44 UTC by Rowland Penny
Modified: 2018-04-24 13:29 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Rowland Penny 2014-07-24 09:44:00 UTC
Pretty much what the Summary says, on a Samba 4 AD DC, you can obtain and read the 'unicodePwd' attribute, you cannot do this with a windows AD DC.
Also, and this may stem from the same reason, you can set/reset the users password without using SSL, with a windows server, you MUST use SSL.
Comment 1 Andrew Bartlett 2014-07-24 10:06:23 UTC
The two issues raised here are totally unrelated.

Yes, we only prevent access over LDAP, and just as the password hash values can be recovered locally on a Windows server, so they can on Samba with direct TDB access.  

However, as the 'net rpc samdump' command demonstrates, password hash values can be obtained remotely with the administrator password.
Comment 2 Stefan Metzmacher 2018-04-24 08:01:42 UTC
What's the state here? Do we really have a bug?
Comment 3 Rowland Penny 2018-04-24 08:50:51 UTC
(In reply to Stefan Metzmacher from comment #2)
Seemingly not any more, you used to be able to obtain a users password with ldap, but this is no longer possible.