[Samba] user password hash
Nico Kadel-Garcia
nkadel at gmail.com
Wed Oct 9 02:19:25 UTC 2019
On Tue, Oct 8, 2019 at 8:04 AM Rowland penny via samba
<samba at lists.samba.org> wrote:
>
> On 08/10/2019 12:53, Jonathon Reinhart wrote:
> >
> >
> > On Tue, Oct 8, 2019, 07:45 Rowland penny via samba
> > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> >
> > On 08/10/2019 12:27, Elias Pereira via samba wrote:
> > > hello list,
> > >
> > > What kind of hashing/encryption samba4 ADDC uses for user
> > passwords? base64?
> >
> >
> > Base64 is neither a hash nor an encryption algorithm; it is an encoding.
> That is why I said 'basically' ;-)
> >
> > >
> > > Thanks!
> > >
> > Basically yes, but it is a bit more involved, to create an AD users
> > passwords in bash, you would have to do something like this:
> >
> > UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE |
> > base64 -w 0)
> >
> >
> > Where is this scheme applied?
> On my Hard drive ;-)
> > Are you saying Samba stores plaintext passwords in the database?
>
> No, that bit of bash turns a plain password into what you would store in
> the users 'unicodePwd' attribute.
>
> For instance, if $PASSWORD == password , you would get
> 'IgBwAGEAcwBzAHcAbwByAGQAIgA='
>
> Rowland
I appreciate that this is how to pass the plaintext password for
setting it, for storage by the Kerberos back end. If Samba is using
Kerberos in normal fashion, *nothing* ever sees the plain text
password again. A decent explanation lives at
https://www.roguelynn.com/words/explain-like-im-5-kerberos/ , and
there are many others.
More information about the samba
mailing list