Setting unicodePwd hashes directly

Stefan (metze) Metzmacher metze at samba.org
Tue Aug 24 22:32:26 MDT 2010


Am 24.08.2010 18:01, schrieb Lukasz Zalewski:
> On 08/24/2010 04:44 PM, Matthias Dieter Wallnöfer wrote:
>> Hi Michael,
>>
>> it's not encouraged to set NT hashes by bypassing the "password_hash"
>> module this way - better use metze's new control "bypass_password_hash".
>> I personally don't exactly know how to use/set it but he should be able
>> to explain it to you.
>>
>> Matthias
> I'm pretty sure its:
> $targetdir/bin/ldbadd -H $targetdir/private/sam.ldb --nosync --verbose
> --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0
> --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 myldif.ldif
> 
> Metze will be able to confirm if that is the case

Yes, but you need to be really, really careful when using that,
this should remain hidden magic...

metze

> Luk
>>
>> Michael Wood wrote:
>>> Hi
>>>
>>> When migrating users from e.g. Apple Open Directory one can get the
>>> arcfour-hmac-md5 hashes and shove them into Samba's directory. When I
>>> did this a couple of months ago I could just use
>>> ldbadd/ldbmodify/ldbedit to add the hashes and I believe I just used
>>> /usr/local/samba/private/sam.ldb as the path to connect to.
>>>
>>> Now when I try that, I get an error saying that I can't set unicodePwd
>>> directly:
>>>
>>> # ldbedit -H /usr/local/samba/private/sam.ldb CN=Administrator
>>> unicodePwd
>>> failed to modify CN=Administrator,CN=Users,DC=example,DC=com -
>>> setup_io: it's not allowed to set the NT hash password directly'
>>> # 0 adds 0 modifies 0 deletes
>>>
>>> If I connect to sam.ldb.d/DC=EXAMPLE,DC=COM.ldb instead, then it seems
>>> to work:
>>>
>>> # ldbedit -H /usr/local/samba/private/sam.ldb.d/DC\=EXAMPLE\,DC\=COM.ldb
>>> CN=Administrator unicodePwd
>>> # 0 adds 1 modifies 0 deletes
>>>
>>> Is this an acceptable workaround? Or could it break things to use the
>>> second method? Is there a better way to set these hashes directly?
>>>
>>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100825/8f534efc/attachment.pgp>


More information about the samba-technical mailing list