[Samba] Samba 4 LDAP NTLM password nightly injection

Luc Lalonde luc.lalonde at polymtl.ca
Tue Apr 9 10:25:47 MDT 2013 

Ok this works:

####################################################################
#!/usr/bin/env python

import sys

sys.path.insert(0, "/usr/local/samba/lib64/python2.6/site-packages")
sys.path.insert(1, "/usr/local/samba/lib/python2.6/site-packages")

from samba import Ldb, registry
from samba.param import LoadParm
from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl
from samba.samba3 import passdb
from samba.samba3 import param as s3param
from samba.dcerpc import lsa, samr, security
from samba.dcerpc.security import dom_sid
from samba.credentials import Credentials
from samba import dsdb
from samba.ndr import ndr_pack
from samba import unix2nttime

# Convert Hex to Byte string
def HexToByte( hexStr ):
    bytes = []
    hexStr = ''.join( hexStr.split(" ") )
    for i in range(0, len(hexStr), 2):
        bytes.append( chr( int (hexStr[i:i+2], 16 ) ) )
    return ''.join( bytes )

# Connect to samba4 backend
new_lp_ctx = s3param.get_context()
new_lp_ctx.load("/usr/local/samba/etc/smb.conf")
new_lp_ctx.set("private dir", "/usr/local/samba/private")

s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))

# Change testuser password
new_userdata = s4_passdb.getsampwnam("testuser")
new_userdata.nt_passwd = HexToByte("878D8014606CDA29677A44EFA1353FC7")
new_userdata.lanman_passwd = HexToByte("552902031BEDE9EFAAD3B435B51404EE")
s4_passdb.update_sam_account(new_userdata)
####################################################################

I was missing some module paths and the extra info for connecting to the LDB database...  Now I just have to generalize this procedure so that I can update the passwords every night like I do with Samba3-LDAP.

Andrew, thanks for the pointers.  I'm posting this in case it can help someone else.

----- Original Message -----
From: "Luc Lalonde" <luc.lalonde at polymtl.ca>
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: samba at lists.samba.org
Sent: Wednesday, March 27, 2013 7:38:05 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection

Hello Andrew,

How would I convert the below base16 strings into raw bytes acceptable to this routine?  We presently inject the NTLM passwords directly into our LDAP database for Samba3.

Also, I can't seem to figure out the argument values for 'passdb.PDB'.  I tried 'ldb', 'samba_dsdb'.

Thanks for your help!

On 2013-03-27, at 6:18 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote:
>> Hello Andrew,
>> 
>> I'm finally diving into this project...
>> 
>> First off, my sysadmin stuff is mostly in Perl.  So my Python is rudimentary at best.
>> 
>> Here we go anyway...  I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database.
>> 
>> In the script I see these lines:
>> 
>> #######################################################
>> # Connect to samba4 backend
>> s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
>> ########################################################
>> 
>> I would appreciate a hint on how to connect to the database please.  Where is the 'passdb' object referenced from?
>> 
>> Once that's done, from what I understand, I should be able to change the passwords directly:
>> 
>> #######################################################
>> # Change foo-user password
>> admin_userdata = s4_passdb.getsampwnam("foo-user")
>> admin_userdata.nt_passwd = "878D8014606CDA29677A44EFA1353FC7"
>> admin_userdata.lanman_passwd = "552902031BEDE9EFAAD3B435B51404EE"
>> s4_passdb.update_sam_account(admin_userdata)
>> #######################################################
> 
> Sort of.  Those values are not base16 strings, but raw bytes, but
> otherwise that looks pretty much right at a first glance. 
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
Luc Lalonde, analyste
---------------------------------------------------------------------
Département de génie informatique:
École polytechnique de Montréal
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
---------------------------------------------------------------------

More information about the samba mailing list