[Samba] Retrieve winbind machine password
Pavel Filipenský
pfilipensky at samba.org
Mon Oct 23 08:58:16 UTC 2023
On 10/22/23 13:36, Kees van Vloten via samba wrote:
>
> Op 22-10-2023 om 03:43 schreef Andrew Bartlett:
>> On Sat, 2023-10-21 at 11:41 +0200, Kees van Vloten via samba wrote:
>>> Hi Team,
>>>
>>>
>>> I am currently looking into enterprise wifi with the machine account. I
>>> did find some clues on the internet but the peice that is missing is
>>> the
>>> password of the machine account.
>>>
>>> Is it possible foor user root to extract that password in clear text
>>> from the secrets database where winbind has stored it?
>>>
>>> /var/lig/samba/private/secrets.tdb seems to contain the info and
>>> tdbdump can output it, but some more decoding is needed before it
>>> can be
>>> used in the NetworkManager configuration. What are the commands to get
>>> that done?
>> People used to do this with tools that read that DB, which is of course
>> possible, but we have this script:
>>
>>
>> ./source4/scripting/bin/machineaccountpw
>>
>> Note that the password is very random these days.
>>
>> But please do be aware that MSCHAPv2 is still NTLMv1 under the hood.
>> Better than plaintext if you have the certificate checking done
>> properly, but if you can do real certificates, do that!
>
> Thanks Andrew,
>
> I run my own CA and verify all certificates, that part is taken care
> of :-)
>
> This link to MIT's Eduroam knowledgebase confirms your statement:
> http://kb.mit.edu/confluence/pages/viewpage.action?pageId=152599592&focusedCommentId=154190347#comment-154190347
>
>
> One more question: Would it be possible to trigger a script when
> winbind changes the machine password?
>
Hi Kees,
I am working on a related topic - keytab update when machine account
password is changed:
https://gitlab.com/samba-team/samba/-/merge_requests/1999
I will try to add a 'script triggering' once the keytab update is done.
Pavel
>
> That would help to update the wifi configuration on password change
> and prevents lockout on the AD-side to to wrong password.
>
> - Kees.
>
>> Andrew
>
More information about the samba
mailing list