[Samba] user password hash

mj lists at merit.unu.edu
Thu Oct 10 11:55:18 UTC 2019

Hi Rowland, all,

On 10/9/19 9:11 AM, Rowland penny via samba wrote:
> You could run something like this on a Samba AD DC:
> ldbsearch -H /var/lib/samba/private/sam.ldb -b 
> 'dc=samdom,dc=example,dc=com' -s sub 
> '(&(objectclass=user)(samaccountname=rowland))' unicodePwd
> This will get you a users password, you just need to run it through the 
> reverse of what I posted earlier to see the actual users password.

Out of curiosity I tried that, and wrote the following little bash script:

> PASSWORD="zKY\.Jp4jdiJ\_"
> UNICODEPW_GENERATED="$(echo -n "$PASSWORD" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0)"
> PASSWORD_DECODED_FROM_UNICODEPW="$(echo -n $UNICODEPW_GENERATED | base64 -d -w 0 | iconv -t UTF-8 -f UTF-16LE)"
> echo "Password: $PASSWORD"
> echo "Generated unicodePwd: $UNICODEPW_GENERATED"
> echo "Decoded password: $PASSWORD_DECODED_FROM_UNICODEPW"

This gives normal looking output:

> Password: zKY\.Jp4jdiJ\_
> Generated unicodePwd: egBLAFkAXAAuAEoAcAA0AGoAZABpAEoAXABfAA==
> Decoded password: zKY\.Jp4jdiJ\_

HOWEVER: the AD unicodePwd field for this testuser with that password 
(set with samba-tool) is something different:

> ~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=testsamba,dc=company,dc=com' -s sub '(&(objectclass=user)(samaccountname=test))' unicodePwd 
> # record 1
> dn: CN=ted t. test,CN=Users,DC=testsamba,DC=company,DC=com
> unicodePwd:: eD1jkPHBRopHzc00qaK6fw==

so the actual unicodePwd field in AD is not what the script generated.

I tried various users, and confirmed that the AD unicodePwd actually 
works by logging in as my test users.

So... I am wondering what is wrong in my testing/logic..?

Thanks for the interesting discussion!


More information about the samba mailing list