[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using active directory keys

To: Love <lha@stacken.kth.se>
Subject: Re: using active directory keys
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 20 Jan 2005 08:00:33 +1100
Cc: Dave Love <d.love@dl.ac.uk>, heimdal-discuss@sics.se
In-Reply-To: <amu0pdtyhx.fsf@nutcracker.it.su.se>
References: <rzqbrc4dtvr.fsf@loveshack> <1105794686.6223.17.camel@amy> <1105905782.6223.40.camel@amy> <amu0pdtyhx.fsf@nutcracker.it.su.se>
Sender: owner-heimdal-discuss@sics.se

On Wed, 2005-01-19 at 13:05 +0100, Love wrote:
> Andrew Bartlett <abartlet@samba.org> writes:
> 
> > On Sun, 2005-01-16 at 00:11 +1100, Andrew Bartlett wrote:
> >
> >> I have code that extracts more than just these keys from AD, but I've
> >> not yet fully parsed the structure I'm given.
> >
> > I did some more work on this, and it's a false alarm for getting
> > everything out of AD.  The structure I get contains more than just the
> > current passwords yes, but it's the password history, not Kerberos
> > keys :-(
> >
> > Oh well, we are working on full Active Directory replication, so this
> > should not be too far off, but not quite for now...
> 
> Well, until you get DRSUAPI working I got this text below from from Dave
> Love to add to the documentation, I've not had time to go over it yet
> though.
> 
> Love
> 
> @node Using Windows keys, Useful links when reading about the Windows 2000, Quirks of Windows 2000 KDC, Windows 2000 compatability
> @section Using Windows keys
> 
> @cindex Windows password hashes
> If you have existing Windows accounts, you might want to transfer
> their keys to Heimdal for single sign on via Heimdal without having to
> reset passwords.  Dump the Kerberos keys from Active Directory is
> apparently only possible with the proprietary replication protocol.
> However, if you have it configured for NT-authentication as well as
> Kerberos, you can extract and use the NT keys (which are synchronized
> with the Kerberos keys), as follows.@footnote{Note that these keys are
> weak---they are unsalted---and users should be encouraged to reset
> their passwords to replace them with the default key types.}

Firstly, I think that the type 23 keys (arcfour-hmac-md5, aka the NT
hash) are now in the default key types, and while it is a limited type,
with less than broad support on older kerberos libs.  It's not my
understanding that the type 23 keys are particularly weak in any way.

> Use @command{pwdump2} (@pxref{pwdump}) on the Windows controller to
> dump the password hashes.  

Therefore 'net rpc samdump' should do the same, as would my original
suggestion of 'vampire' into the Samba LDAP schema.

Perhaps I didn't make myself clear on my retraction earlier: while I was
hoping to find all the kerberos encryption keys, we still get the NT
password from 'vampire'.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part

Follow-Ups:
- Re: using active directory keys
  - From: Dave Love <d.love@dl.ac.uk>

References:
- using active directory keys
  - From: Dave Love <d.love@dl.ac.uk>
- Re: using active directory keys
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: using active directory keys
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: using active directory keys
  - From: Love <lha@stacken.kth.se>

Prev by Date: Re: using active directory keys
Next by Date: Re: using active directory keys
Prev by thread: Re: using active directory keys
Next by thread: Re: using active directory keys
Index(es):
- Date
- Thread