1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00
Andrew Bartlett d2a473a7b7 dsdb: Allow password history and password changes without an NT hash
We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead
which allows us to decouple Samba from the unsalted NT hash for
organisations that are willing to take this step (for user accounts).

(History checking is limited to the last three passwords only, as
ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4
package only stores three sets of keys.)

Since we don't store a salt per-key, but only a single salt, the check
will fail for a previous password if the account was renamed prior to a
newer password being set.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-06-26 22:10:29 +00:00

71 lines
2.7 KiB
XML

<samba:parameter name="nt hash store"
context="G"
type="enum"
enumlist="enum_nt_hash_store"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This parameter determines whether or not <citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will, as an AD DC, attempt to
store the NT password hash used in NTLM and NTLMv2 authentication for
users in this domain. </para>
<para>If so configured, the Samba Active Directory Domain Controller,
will, except for trust accounts (computers, domain
controllers and inter-domain trusts) the
<emphasis>NOT store the NT hash</emphasis>
for new and changed accounts in the sam.ldb database.</para>
<para>This avoids the storage of an unsalted hash for these
user-created passwords. As a consequence the
<constant>arcfour-hmac-md5</constant> Kerberos key type is
also unavailable in the KDC for these users - thankfully
<emphasis>modern clients will select an AES based key
instead.</emphasis></para>
<para>NOTE: As the password history in Active Directory is
stored as an NT hash (and thus unavailable), a workaround is
used, relying instead on Kerberos password hash values.
This stores three passwords, the current, previous and second previous
password. This allows some checking against reuse. </para>
<para>However as these values are salted, changing the
sAMAccountName, userAccountControl or userPrincipalName of
an account will cause the salt to change. After the rare
combination of both a rename and a password change only the
current password will be recognised for password history
purposes.
</para>
<para>The available settings are:</para>
<itemizedlist>
<listitem>
<para><constant>always</constant> - Always store the NT hash
(as machine accounts will also always store an NT hash,
a hash will be stored for all accounts).</para>
<para>This setting may be useful if <parameter
moreinfo="none">ntlm auth</parameter> is set to <constant>disabled</constant>
for a trial period</para>
</listitem>
<listitem>
<para><constant>never</constant> - Never store the NT hash
for user accounts, only for machine accounts</para>
</listitem>
<listitem>
<para><constant>auto</constant> - Store an NT hash if <parameter
moreinfo="none">ntlm auth</parameter> is not set to <constant>disabled</constant>.
</para>
</listitem>
</itemizedlist>
</description>
<related>ntlm auth</related>
<value type="default">always</value>
</samba:parameter>