[Samba] Retrieve winbind machine password

Kees van Vloten keesvanvloten at gmail.com
Mon Oct 23 09:06:19 UTC 2023 

Op 23-10-2023 om 10:58 schreef Pavel Filipenský:
>
> On 10/22/23 13:36, Kees van Vloten via samba wrote:
>>
>> Op 22-10-2023 om 03:43 schreef Andrew Bartlett:
>>> On Sat, 2023-10-21 at 11:41 +0200, Kees van Vloten via samba wrote:
>>>> Hi Team,
>>>>
>>>>
>>>> I am currently looking into enterprise wifi with the machine 
>>>> account. I
>>>> did find some clues on the internet but the peice that is missing 
>>>> is the
>>>> password of the machine account.
>>>>
>>>> Is it possible foor user root to extract that password in clear text
>>>> from the secrets database where winbind has stored it?
>>>>
>>>> /var/lig/samba/private/secrets.tdb  seems to contain the info and
>>>> tdbdump can output it, but some more decoding is needed before it 
>>>> can be
>>>> used in the NetworkManager configuration. What are the commands to get
>>>> that done?
>>> People used to do this with tools that read that DB, which is of course
>>> possible, but we have this script:
>>>
>>>
>>>   ./source4/scripting/bin/machineaccountpw
>>>
>>> Note that the password is very random these days.
>>>
>>> But please do be aware that MSCHAPv2 is still NTLMv1 under the hood.
>>> Better than plaintext if you have the certificate checking done
>>> properly, but if you can do real certificates, do that!
>>
>> Thanks Andrew,
>>
>> I run my own CA and verify all certificates, that part is taken care 
>> of :-)
>>
>> This link to MIT's Eduroam  knowledgebase confirms your statement: 
>> http://kb.mit.edu/confluence/pages/viewpage.action?pageId=152599592&focusedCommentId=154190347#comment-154190347 
>>
>>
>> One more question: Would it be possible to trigger a script when 
>> winbind changes the machine password?
>>
>
> Hi Kees,
>
> I am working on a related topic - keytab update when machine account 
> password is changed: 
> https://gitlab.com/samba-team/samba/-/merge_requests/1999
>
> I will try to add a 'script triggering' once the keytab update is done.
>
>
> Pavel
>
Thanks Pavel, that would make it a lot easier!

It looks like the MR has been open for a really long time. Do you expect 
to finish and get it merged any time soon?

- Kees.

>
>>
>> That would help to update the wifi configuration on password change 
>> and prevents lockout on the AD-side to to wrong password.
>>
>> - Kees.
>>
>>> Andrew
>>

More information about the samba mailing list