Bug 10740 - The unicodePwd LDAP encryption restrictions are not applied
The unicodePwd LDAP encryption restrictions are not applied
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2014-07-24 09:44 UTC by Rowland Penny
Modified: 2016-07-29 07:57 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Rowland Penny 2014-07-24 09:44:00 UTC
Pretty much what the Summary says, on a Samba 4 AD DC, you can obtain and read the 'unicodePwd' attribute, you cannot do this with a windows AD DC.
Also, and this may stem from the same reason, you can set/reset the users password without using SSL, with a windows server, you MUST use SSL.
Comment 1 Andrew Bartlett 2014-07-24 10:06:23 UTC
The two issues raised here are totally unrelated.

Yes, we only prevent access over LDAP, and just as the password hash values can be recovered locally on a Windows server, so they can on Samba with direct TDB access.  

However, as the 'net rpc samdump' command demonstrates, password hash values can be obtained remotely with the administrator password.