[Samba] Password Hash Swapping

Rowland Penny rpenny at samba.org
Thu Jul 21 14:22:13 UTC 2022

On Thu, 2022-07-21 at 10:02 -0400, ralph strebbing via samba wrote:
> Hey All,
> Got something we're trying to make work, and wondering if it's even
> possible with the current state of Active Directory. A while back
> (presumably when we were still running an NT Domain on Samba 3), the
> company I work for built a tool to basically read the password hash
> of
> a user, and replace it with a preset hash so we could provision user
> accounts and log in as them, then revert the change when we were done
> to prevent them from having to reset their password. We're looking to
> do that again if possible, but with the amount of contradicting
> information, and scouring the Samba code has left the conclusion of:
> Don't touch the ldb files lest you want to break stuff horribly.

No, you can edit sam.ldb, provided you use the ldb tools or ldap utils
etc. What isn't recommended is to modify the files under sam.ldb.d 

There is nothing stopping you creating users with a password and then
changing it again once everything is set up, but there numerous ways of
creating user homedirs etc as the user logs in for the first time.

I think what is going on here is that you are thinking in NT4-style
domain setup and you should be thing in AD domain setup.


More information about the samba mailing list