Setting unicodePwd hashes directly
Matthias Dieter Wallnöfer
mdw at samba.org
Tue Aug 24 09:44:33 MDT 2010
Hi Michael,
it's not encouraged to set NT hashes by bypassing the "password_hash"
module this way - better use metze's new control "bypass_password_hash".
I personally don't exactly know how to use/set it but he should be able
to explain it to you.
Matthias
Michael Wood wrote:
> Hi
>
> When migrating users from e.g. Apple Open Directory one can get the
> arcfour-hmac-md5 hashes and shove them into Samba's directory. When I
> did this a couple of months ago I could just use
> ldbadd/ldbmodify/ldbedit to add the hashes and I believe I just used
> /usr/local/samba/private/sam.ldb as the path to connect to.
>
> Now when I try that, I get an error saying that I can't set unicodePwd directly:
>
> # ldbedit -H /usr/local/samba/private/sam.ldb CN=Administrator unicodePwd
> failed to modify CN=Administrator,CN=Users,DC=example,DC=com -
> setup_io: it's not allowed to set the NT hash password directly'
> # 0 adds 0 modifies 0 deletes
>
> If I connect to sam.ldb.d/DC=EXAMPLE,DC=COM.ldb instead, then it seems to work:
>
> # ldbedit -H /usr/local/samba/private/sam.ldb.d/DC\=EXAMPLE\,DC\=COM.ldb
> CN=Administrator unicodePwd
> # 0 adds 1 modifies 0 deletes
>
> Is this an acceptable workaround? Or could it break things to use the
> second method? Is there a better way to set these hashes directly?
>
>
More information about the samba-technical
mailing list