[Samba] Samba4 as AD, what password hash is used?

Thu Jun 18 06:33:41 MDT 2015

Thank you Roland having took time to insist :)
I stopped hanging on the fact the hashes were different and tried your
tips. It worked fine: I was able to use ldbmodify to replace "unicodePwd"
attribute's value using your command.

Thank you again ;)

Cheers,

mathias

2015-06-18 13:23 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:

> On 18/06/15 12:04, mathias dufresne wrote:
>
>> Hi,
>>
>> Thank you for this answer, unfortunately I was not able to re-hash
>> password
>> as they are hashed into LDB database.
>>
>> First I retrieved the hash:
>> ldbsearch -H $sam '(cn=some user)' unicodePwd
>> # record 1
>> dn: CN=some user,OU=Users Management,DC=ad,DC=example,DC=com
>> unicodePwd:: COwwLgiqqaHRyhy4HxWp4A==
>>
>> This "unicodePwd" attribute comes from a quick search into "user" class:
>>   ldbsearch -H $sam -b
>> 'CN=SCHEMA,CN=CONFIGURATION,DC=AD,DC=EXAMPLE,DC=COM'
>> '(&(objectClass=classSchema)(cn=user))' | egrep -i 'pass|pwd'
>> systemMayContain: msDS-UserPasswordExpiryTimeComputed
>> systemMayContain: unicodePwd
>> systemMayContain: pwdLastSet
>> systemMayContain: ntPwdHistory
>> systemMayContain: lmPwdHistory
>> systemMayContain: dBCSPwd
>> systemMayContain: badPwdCount
>> systemMayContain: badPasswordTime
>>
>> Now the password is "Sg4QWTYspPucd" and its hash is
>> "COwwLgiqqaHRyhy4HxWp4A==". The hash seems to be base64 encoded because of
>> the double ":" trailing attribute name but I was not able decode it to
>> obtain the password in clear version. This does not really matter in fact,
>> What I'm looking for is a way to encrypt, not to decrypt.
>>
>> But I was not able to find the way to encrypt this password to obtain
>> corresponding hash:
>> echo -n "\"Sg4QWTYspPucd\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
>> IgBTAGcANABRAFcAVABZAHMAcABQAHUAYwBkACIA
>> rather than expected "COwwLgiqqaHRyhy4HxWp4A==".
>>
>> So I'm missing something to encrypt correctly these passwords...
>>
>> Best regards,
>>
>> mathias
>>
>>
>>
>>
>> 2015-06-17 15:53 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>>
>>  On 17/06/15 14:39, mathias dufresne wrote:
>>>
>>>  Hi all,
>>>>
>>>> I was wondering what kind of password encryption is used into LDB file
>>>> to
>>>> store user's password.
>>>>
>>>> Our users are authenticating against some OpenLDAP tree to access their
>>>> applications. We would like to add some field on this OpenLDAP to
>>>> generate
>>>> Samba4 valid password when users are connecting against it, to be able
>>>> then
>>>> to copy this field into our Samba4 users for they have same password for
>>>> applications and AD.
>>>>
>>>> Kindly regards,
>>>>
>>>> mathias
>>>>
>>>>  it is in unicode, to create a windows password with bash, you need to
>>> do
>>> something like this:
>>>
>>> echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0
>>>
>>> The password is supposed to be read only, you cannot read it over the
>>> wire
>>> and must be set via SSL.
>>>
>>> Have you considered kerberos instead, i.e. SSO
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
> Ah but what goes in is not necessarily what you think!
> I have a bash script to create a user, it has this line:
>
>  UNICODEPWD=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE |
> base64 -w 0)
>
> The user is then created from a ldif and at the bottom of the ldif is this:
>
> $_DN
> changetype: modify
> replace: unicodePwd
> unicodePwd::$UNICODEPWD"
>
> The whole idea is that it is very difficult to decode the AD users
> password, on a windows DC you cannot obtain the users password, you
> seemingly can only obtain it on a samba4 DC by acting directly on the .ldb
> file.
>
> I suppose you could write a script to set the users password in AD via an
> ldif and then set the users password in openldap via another ldif, but
> before you go down this line, just what are you trying to authenticate this
> way and can you do it via kerberos.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>