Backend documentation?

[Simo]

On 04/13/2013 08:10 AM, Yoann Gini wrote:
> Le 13 avr. 2013 à 13:06, Andrew Bartlett <abartlet at samba.org> a écrit :
>
>> The issue is this:  To change passwords you need the old password hash
>> to verify the new password.  You need a way to get that old password
>> hash out of the PasswordService.  My understanding is that this is
>> intentionally difficult (part of the design, to try and keep all the
>> crypto inside that box).
>>
>> The same applies for being able to accept domain logins.  The auth
>> plugin code doesn't handle either of these cases, it just assumes passdb
>> provides read access to the hashes.
>>
>> Only then can we read the plaintext password.  At that point our passdb
>> backend can submit the plaintext passwords to the LDAP server using the
>> password change/set exop.  If the PasswordService will accept it, a
>> patched pdb_ldap could instead set it there.
> I’ve think about one with, it’s tricky but the PasswordService database is a LDAP database with some restricted access. Here is an extract of what we can get :
>
> dn: authGUID=79c4b078-49ca-11e2-9695-0050563fdd05,cn=users,cn=authdata
> objectClass: pwsAuthdata
> draft-krbPrincipalName: alice at LAB.OFFICE.INIG-SERVICES.COM
> draft-krbTicketPolicy: 326
> draft-krbKeySet:: MIIBC6EDAgEJoIIBAjCB/zBboSswKaADAgESoSIEIDCzR/8HiG46Pee31qOI
>   IHHLRudSFckCtlN3uyb6l/OjoiwwKqADAgEDoSMEIUxBQi5PRkZJQ0UuSU5JRy1TRVJWSUNFUy5DT
>   01hbGljZTBLoRswGaADAgERoRIEEN4B9R/JNAshjTC9OJK1XnaiLDAqoAMCAQOhIwQhTEFCLk9GRk
>   lDRS5JTklHLVNFUlZJQ0VTLkNPTWFsaWNlMFOhIzAhoAMCARChGgQYgCXff16dB9XxUe/Qqyb0/eW
>   U/bNerUVtoiwwKqADAgEDoSMEIUxBQi5PRkZJQ0UuSU5JRy1TRVJWSUNFUy5DT01hbGljZQ==
> uid: alice
> authGUID: 79c4b078-49ca-11e2-9695-0050563fdd05
> loginFailedAttempts: 2
> creationDate: 20121219105434Z
> passwordModDate: 20130413114843Z
> lastLoginTime: 20130413114158Z
> userLinkage: 6ebccf99-9034-48da-a119-e5561be5f347
> password:: 6h7tUEiULsg=
> cmusaslsecretSMBNT: 4039730E1BF6E10DD01EAAC983DB4D7C40A0C1609E7F0000206A7A0D01
>   000000

This is your user alice NT password apparently, the format looks 
slightly odd, but if it is a RC4-HMAC as it should you should be able to 
use it pretty easily with pdb_ldap or a modification of it.

Now tell Alice to change her password if it is a real user. A NT hash is 
a clear text equivalent over SMB so her account is basically compromised 
by having revealed the hash.

> cmusaslsecretDIGEST-MD5:: 2Qvzdbf2zJ32C0zBwtSTFw==
> cmusaslsecretCRAM-MD5:: 8MNiRN2wPF33Rnew+uPbv3EV0cA8VPimh9/COEAn4QE=
> cmusaslsecretPPS:: FEDXQkKfMefvwi48ZekZE7aH8eukRula
> cmusaslsecretDIGEST-UMD5:: MJSZQKSdJH0bbgO7Cf/ycQ==
>
> The user password here is alice for informations.
>
> So, event if it’s not possible to extract the password hash from the PasswordService, we can access to the service database…

Well unless the SMBNT field above is encrypted with a master password 
(the krbkey normally is), then you can extract the password hash apparently.

Simo.