[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using active directory keys

On Wed, 2005-01-19 at 13:05 +0100, Love wrote:
> Andrew Bartlett <abartlet@samba.org> writes:
> > On Sun, 2005-01-16 at 00:11 +1100, Andrew Bartlett wrote:
> >
> >> I have code that extracts more than just these keys from AD, but I've
> >> not yet fully parsed the structure I'm given.
> >
> > I did some more work on this, and it's a false alarm for getting
> > everything out of AD.  The structure I get contains more than just the
> > current passwords yes, but it's the password history, not Kerberos
> > keys :-(
> >
> > Oh well, we are working on full Active Directory replication, so this
> > should not be too far off, but not quite for now...
> Well, until you get DRSUAPI working I got this text below from from Dave
> Love to add to the documentation, I've not had time to go over it yet
> though.
> Love
> @node Using Windows keys, Useful links when reading about the Windows 2000, Quirks of Windows 2000 KDC, Windows 2000 compatability
> @section Using Windows keys
> @cindex Windows password hashes
> If you have existing Windows accounts, you might want to transfer
> their keys to Heimdal for single sign on via Heimdal without having to
> reset passwords.  Dump the Kerberos keys from Active Directory is
> apparently only possible with the proprietary replication protocol.
> However, if you have it configured for NT-authentication as well as
> Kerberos, you can extract and use the NT keys (which are synchronized
> with the Kerberos keys), as follows.@footnote{Note that these keys are
> weak---they are unsalted---and users should be encouraged to reset
> their passwords to replace them with the default key types.}

Firstly, I think that the type 23 keys (arcfour-hmac-md5, aka the NT
hash) are now in the default key types, and while it is a limited type,
with less than broad support on older kerberos libs.  It's not my
understanding that the type 23 keys are particularly weak in any way.

> Use @command{pwdump2} (@pxref{pwdump}) on the Windows controller to
> dump the password hashes.  

Therefore 'net rpc samdump' should do the same, as would my original
suggestion of 'vampire' into the Samba LDAP schema.

Perhaps I didn't make myself clear on my retraction earlier: while I was
hoping to find all the kerberos encryption keys, we still get the NT
password from 'vampire'.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part