[Samba] Samba4 as AD, what password hash is used?

Rowland Penny rowlandpenny at googlemail.com
Thu Jun 18 05:23:57 MDT 2015


On 18/06/15 12:04, mathias dufresne wrote:
> Hi,
>
> Thank you for this answer, unfortunately I was not able to re-hash password
> as they are hashed into LDB database.
>
> First I retrieved the hash:
> ldbsearch -H $sam '(cn=some user)' unicodePwd
> # record 1
> dn: CN=some user,OU=Users Management,DC=ad,DC=example,DC=com
> unicodePwd:: COwwLgiqqaHRyhy4HxWp4A==
>
> This "unicodePwd" attribute comes from a quick search into "user" class:
>   ldbsearch -H $sam -b 'CN=SCHEMA,CN=CONFIGURATION,DC=AD,DC=EXAMPLE,DC=COM'
> '(&(objectClass=classSchema)(cn=user))' | egrep -i 'pass|pwd'
> systemMayContain: msDS-UserPasswordExpiryTimeComputed
> systemMayContain: unicodePwd
> systemMayContain: pwdLastSet
> systemMayContain: ntPwdHistory
> systemMayContain: lmPwdHistory
> systemMayContain: dBCSPwd
> systemMayContain: badPwdCount
> systemMayContain: badPasswordTime
>
> Now the password is "Sg4QWTYspPucd" and its hash is
> "COwwLgiqqaHRyhy4HxWp4A==". The hash seems to be base64 encoded because of
> the double ":" trailing attribute name but I was not able decode it to
> obtain the password in clear version. This does not really matter in fact,
> What I'm looking for is a way to encrypt, not to decrypt.
>
> But I was not able to find the way to encrypt this password to obtain
> corresponding hash:
> echo -n "\"Sg4QWTYspPucd\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
> IgBTAGcANABRAFcAVABZAHMAcABQAHUAYwBkACIA
> rather than expected "COwwLgiqqaHRyhy4HxWp4A==".
>
> So I'm missing something to encrypt correctly these passwords...
>
> Best regards,
>
> mathias
>
>
>
>
> 2015-06-17 15:53 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>
>> On 17/06/15 14:39, mathias dufresne wrote:
>>
>>> Hi all,
>>>
>>> I was wondering what kind of password encryption is used into LDB file to
>>> store user's password.
>>>
>>> Our users are authenticating against some OpenLDAP tree to access their
>>> applications. We would like to add some field on this OpenLDAP to generate
>>> Samba4 valid password when users are connecting against it, to be able
>>> then
>>> to copy this field into our Samba4 users for they have same password for
>>> applications and AD.
>>>
>>> Kindly regards,
>>>
>>> mathias
>>>
>> it is in unicode, to create a windows password with bash, you need to do
>> something like this:
>>
>> echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
>>
>> The password is supposed to be read only, you cannot read it over the wire
>> and must be set via SSL.
>>
>> Have you considered kerberos instead, i.e. SSO
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

Ah but what goes in is not necessarily what you think!
I have a bash script to create a user, it has this line:

  UNICODEPWD=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE | 
base64 -w 0)

The user is then created from a ldif and at the bottom of the ldif is this:

$_DN
changetype: modify
replace: unicodePwd
unicodePwd::$UNICODEPWD"

The whole idea is that it is very difficult to decode the AD users 
password, on a windows DC you cannot obtain the users password, you 
seemingly can only obtain it on a samba4 DC by acting directly on the 
.ldb file.

I suppose you could write a script to set the users password in AD via 
an ldif and then set the users password in openldap via another ldif, 
but before you go down this line, just what are you trying to 
authenticate this way and can you do it via kerberos.

Rowland



More information about the samba mailing list