Backend documentation?

Yoann Gini yoann.gini at gmail.com
Sat Apr 13 06:10:09 MDT 2013 

Le 13 avr. 2013 à 13:06, Andrew Bartlett <abartlet at samba.org> a écrit :

> The issue is this:  To change passwords you need the old password hash
> to verify the new password.  You need a way to get that old password
> hash out of the PasswordService.  My understanding is that this is
> intentionally difficult (part of the design, to try and keep all the
> crypto inside that box). 
> 
> The same applies for being able to accept domain logins.  The auth
> plugin code doesn't handle either of these cases, it just assumes passdb
> provides read access to the hashes. 
> 
> Only then can we read the plaintext password.  At that point our passdb
> backend can submit the plaintext passwords to the LDAP server using the
> password change/set exop.  If the PasswordService will accept it, a
> patched pdb_ldap could instead set it there.

I’ve think about one with, it’s tricky but the PasswordService database is a LDAP database with some restricted access. Here is an extract of what we can get :

dn: authGUID=79c4b078-49ca-11e2-9695-0050563fdd05,cn=users,cn=authdata
objectClass: pwsAuthdata
draft-krbPrincipalName: alice at LAB.OFFICE.INIG-SERVICES.COM
draft-krbTicketPolicy: 326
draft-krbKeySet:: MIIBC6EDAgEJoIIBAjCB/zBboSswKaADAgESoSIEIDCzR/8HiG46Pee31qOI
 IHHLRudSFckCtlN3uyb6l/OjoiwwKqADAgEDoSMEIUxBQi5PRkZJQ0UuSU5JRy1TRVJWSUNFUy5DT
 01hbGljZTBLoRswGaADAgERoRIEEN4B9R/JNAshjTC9OJK1XnaiLDAqoAMCAQOhIwQhTEFCLk9GRk
 lDRS5JTklHLVNFUlZJQ0VTLkNPTWFsaWNlMFOhIzAhoAMCARChGgQYgCXff16dB9XxUe/Qqyb0/eW
 U/bNerUVtoiwwKqADAgEDoSMEIUxBQi5PRkZJQ0UuSU5JRy1TRVJWSUNFUy5DT01hbGljZQ==
uid: alice
authGUID: 79c4b078-49ca-11e2-9695-0050563fdd05
loginFailedAttempts: 2
creationDate: 20121219105434Z
passwordModDate: 20130413114843Z
lastLoginTime: 20130413114158Z
userLinkage: 6ebccf99-9034-48da-a119-e5561be5f347
password:: 6h7tUEiULsg=
cmusaslsecretSMBNT: 4039730E1BF6E10DD01EAAC983DB4D7C40A0C1609E7F0000206A7A0D01
 000000
cmusaslsecretDIGEST-MD5:: 2Qvzdbf2zJ32C0zBwtSTFw==
cmusaslsecretCRAM-MD5:: 8MNiRN2wPF33Rnew+uPbv3EV0cA8VPimh9/COEAn4QE=
cmusaslsecretPPS:: FEDXQkKfMefvwi48ZekZE7aH8eukRula
cmusaslsecretDIGEST-UMD5:: MJSZQKSdJH0bbgO7Cf/ycQ==

The user password here is alice for informations.

So, event if it’s not possible to extract the password hash from the PasswordService, we can access to the service database…

More information about the samba-technical mailing list