[Samba] user password hash

Elias Pereira empbilly at gmail.com
Wed Oct 9 11:21:48 UTC 2019


>
>  I suppose the question has to be 'why does he want to
> see the password'


If this mention is about my doubt, I say that I do not want to see user
passwords at all. My doubt originated from the fact that we have another
user database in our institution that generates another password and I want
to see if we can export users from this other base to our samba4 DC without
having to change the password.

Thanks!

On Wed, Oct 9, 2019 at 4:11 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 09/10/2019 03:19, Nico Kadel-Garcia wrote:
> > On Tue, Oct 8, 2019 at 8:04 AM Rowland penny via samba
> > <samba at lists.samba.org> wrote:
> >> On 08/10/2019 12:53, Jonathon Reinhart wrote:
> >>>
> >>> On Tue, Oct 8, 2019, 07:45 Rowland penny via samba
> >>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> >>>
> >>>      On 08/10/2019 12:27, Elias Pereira via samba wrote:
> >>>      > hello list,
> >>>      >
> >>>      > What kind of hashing/encryption samba4 ADDC uses for user
> >>>      passwords? base64?
> >>>
> >>>
> >>> Base64 is neither a hash nor an encryption algorithm; it is an
> encoding.
> >> That is why I said 'basically' ;-)
> >>>      >
> >>>      > Thanks!
> >>>      >
> >>>      Basically yes, but it is a bit more involved, to create an AD
> users
> >>>      passwords in bash, you would have to do something like this:
> >>>
> >>>      UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE |
> >>>      base64 -w 0)
> >>>
> >>>
> >>> Where is this scheme applied?
> >> On my Hard drive ;-)
> >>> Are you saying Samba stores plaintext passwords in the database?
> >> No, that bit of bash turns a plain password into what you would store in
> >> the users 'unicodePwd' attribute.
> >>
> >> For instance, if $PASSWORD == password , you would get
> >> 'IgBwAGEAcwBzAHcAbwByAGQAIgA='
> >>
> >> Rowland
> > I appreciate that this is how to pass the plaintext password for
> > setting it, for storage by the Kerberos back end. If Samba is using
> > Kerberos in normal fashion, *nothing* ever sees the plain text
> > password again. A decent explanation lives at
> > https://www.roguelynn.com/words/explain-like-im-5-kerberos/ , and
> > there are many others.
>
> Sorry but you are wrong ;-)
>
> You can sync passwords with 'samba-tool user syncpasswords'
>
> You could run something like this on a Samba AD DC:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> 'dc=samdom,dc=example,dc=com' -s sub
> '(&(objectclass=user)(samaccountname=rowland))' unicodePwd
>
> This will get you a users password, you just need to run it through the
> reverse of what I posted earlier to see the actual users password.
>
> The OP asked what the password 'hash' was, I took this to mean 'how do I
> see a password', I suppose the question has to be 'why does he want to
> see the password'
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira


More information about the samba mailing list