[Samba] retrieve machine password in current Samba?

Fri Aug 25 23:48:22 UTC 2017

On Fri, Aug 25, 2017 at 10:06:59PM +0000, James Zuelow via samba wrote:
> We have a wireless network that uses 802.1x authentication, in which domain joined computers use their machine credentials to connect.
> 
> 
> Windows machines do this automatically, and until recently Linux computers could join using wicd, wpa-supplicant, and a simple script that would retrieve the machine password with tdbdump.
> 
> 
> ( specifically tdbdump -k SECRETS/MACHINE_PASSWORD/DOMAIN /var/lib/samba/private/secrets.tdb )
> 
> 
> On older machines running Samba 4.2 (Debian Jessie) tdbdump gives a working password such as this:
> 
> 
> ]f2>lOR4NA~hbv\00  where the actual password is  ]f2>lOR4NA~hbv
> 
> 
> On newer machines running Samba 4.5 (Debian Stretch) tdbdump gives an encrypted password such as this:
> 
> 
> \EE\A9\8D\EF\AD\AC\E2\A1\9D\E2\A0\8C\E3\96\8E\E7\B0\A8\EE\97\AA\E2\8E\9F\E2\A2\8F\EB\85\BF\EE\B7\8B\EA\A7\A9\EA\97\B8\D2\86\E6\83\AB\EE\82\AA\E3\A9\BB\E3\8A\8D\E2\86\9B\E2\8C\92\E6\8C\A6\EA\85\A5\E6\8F\82\EF\96\94\EF\9C\82\E7\8D\B3\E7\8F\93\E7\B8\AA\E7\A7\B7\EE\88\96\E2\A3\9B\EB\AA\B0\E6\B6\A7\EF\B6\B7\EA\A2\AD\EF\A8\88\EA\BB\B6\EE\A4\9A\E3\99\A6\EE\93\96\E2\BD\84\EB\95\93\E3\87\A2\E2\9D\98\EE\BE\8A\E6\8F\A2\EF\AE\91\EB\B5\AA\E7\A5\AF\E7\A4\A6\CD\A5\EF\80\9A\E3\AC\A9\E6\95\9E\E3\A9\BE\EE\94\82\EA\BF\94\E2\B7\8E\E2\94\96\EF\9B\BB\EA\A4\BB\E2\8B\9A\E6\B7\9C\E6\97\B7\E3\8C\BF\E3\98\9A\EA\88\89\E3\94\91\E7\88\83\E7\95\A3\EE\B6\93\EB\A2\9F\E3\94\85\EF\97\8E\E3\BE\8B\EB\BF\8A\E7\BB\8D\E7\A5\95\EB\89\83\E3\8F\A7\EA\8B\9C\EA\BA\BD\E3\BA\B5\E2\B7\BC\E7\B4\8A\EA\83\97\EB\89\8B\EE\9B\91\E2\BA\9D\EE\AC\B4\E3\A5\84\EE\A0\A1\EE\B0\A7\EF\90\AC\EF\8F\8C\E3\AB\A5\E6\96\81\E7\A6\83\EA\80\BB\E2\B9\8B\E6\B2\9F\EF\91\8E\C7\AA\E7\AB\B0\EB\A6\B7\E7\BB\B4\E6\AA\87\E2\B1\94\E2\A2\90\E7\93\BC\EE\AD\AF\E7\89\A1\E6\BA\BC\EB\85\92\EA\A2\97\EF\82\9B\E3\A4\B8\EF\AE\9B\EE\86\9B\EB\82\80\EB\99\9C\E2\A5\AB\EB\A7\8E\EA\89\89\EA\8E\B6\E3\A7\95\E7\B5\A0\E7\BF\B9>\EB\AC\8A\E3\8E\A4\E7\90\98\EA\92\B0\EF\8C\9A\E3\B4\BE\EE\8A\A5\E6\87\B0\E7\BE\90\EF\8F\95\EE\92\88\EB\88\88\E3\B2\BB\E6\97\B7\E3\98\A8\EB\A3\BD\EF\83\AA\EE\B6\B4\E2\A3\B6\E6\8C\8C\EB\83\BD\EF\A1\A8\EB\8A\A7\E3\89\92\E2\86\93\EA\BD\84\E6\83\A4\E2\B8\B5\EA\9A\A2\EB\8B\BE\EE\B5\B5\EB\9D\A3\EF\82\AF\E6\B2\A8\E3\AB\BB\EE\A6\8A\E6\A5\81\E6\A8\B3\D0\97\E6\82\8D\EE\B7\B6\EB\87\9E\EA\AE\BF\EE\A8\8D\EB\9F\8C\EA\A8\AD\EF\B8\9E\EE\BC\85\E6\AD\A1\E7\92\9D\E3\AC\9F\D9\BD\E6\BB\B1\EA\AE\AD\E3\BC\AB\CF\92\E2\8A\8D\E6\AE\8C\00
> 
> 
> This second "password" isn't usable by wicd.
> 
> 
> The Samba wiki still refers to getting the current machine password from secrets.tdb:  https://wiki.samba.org/index.php/Keytab_Extraction  That wiki link is about generating keytabs but the process used to retrieve the password is just like the one I was using.
> 
> 
> Is there a currently supported method for retrieving the machine password in a form that's usable by external scripts such as wicd?

Looking at the code I think it's now returning the plaintext password,
whereas previously it only stored the password hash. You'll have to hash
to make it useful by wicd it seems (I'm guessing wicd expects the hash,
not the plaintext).