[Samba] Samba4 as AD, what password hash is used?
mathias dufresne
infractory at gmail.com
Thu Jun 18 05:04:13 MDT 2015
Hi,
Thank you for this answer, unfortunately I was not able to re-hash password
as they are hashed into LDB database.
First I retrieved the hash:
ldbsearch -H $sam '(cn=some user)' unicodePwd
# record 1
dn: CN=some user,OU=Users Management,DC=ad,DC=example,DC=com
unicodePwd:: COwwLgiqqaHRyhy4HxWp4A==
This "unicodePwd" attribute comes from a quick search into "user" class:
ldbsearch -H $sam -b 'CN=SCHEMA,CN=CONFIGURATION,DC=AD,DC=EXAMPLE,DC=COM'
'(&(objectClass=classSchema)(cn=user))' | egrep -i 'pass|pwd'
systemMayContain: msDS-UserPasswordExpiryTimeComputed
systemMayContain: unicodePwd
systemMayContain: pwdLastSet
systemMayContain: ntPwdHistory
systemMayContain: lmPwdHistory
systemMayContain: dBCSPwd
systemMayContain: badPwdCount
systemMayContain: badPasswordTime
Now the password is "Sg4QWTYspPucd" and its hash is
"COwwLgiqqaHRyhy4HxWp4A==". The hash seems to be base64 encoded because of
the double ":" trailing attribute name but I was not able decode it to
obtain the password in clear version. This does not really matter in fact,
What I'm looking for is a way to encrypt, not to decrypt.
But I was not able to find the way to encrypt this password to obtain
corresponding hash:
echo -n "\"Sg4QWTYspPucd\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
IgBTAGcANABRAFcAVABZAHMAcABQAHUAYwBkACIA
rather than expected "COwwLgiqqaHRyhy4HxWp4A==".
So I'm missing something to encrypt correctly these passwords...
Best regards,
mathias
2015-06-17 15:53 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 17/06/15 14:39, mathias dufresne wrote:
>
>> Hi all,
>>
>> I was wondering what kind of password encryption is used into LDB file to
>> store user's password.
>>
>> Our users are authenticating against some OpenLDAP tree to access their
>> applications. We would like to add some field on this OpenLDAP to generate
>> Samba4 valid password when users are connecting against it, to be able
>> then
>> to copy this field into our Samba4 users for they have same password for
>> applications and AD.
>>
>> Kindly regards,
>>
>> mathias
>>
>
> it is in unicode, to create a windows password with bash, you need to do
> something like this:
>
> echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
>
> The password is supposed to be read only, you cannot read it over the wire
> and must be set via SSL.
>
> Have you considered kerberos instead, i.e. SSO
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list