[Samba] Password Hash Swapping

ralph strebbing blackbirdralph at gmail.com
Thu Jul 21 14:54:41 UTC 2022

On Thu, Jul 21, 2022 at 10:22 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> No, you can edit sam.ldb, provided you use the ldb tools or ldap utils
> etc. What isn't recommended is to modify the files under sam.ldb.d
Yeah, the issue was the sam.ldb file didn't have any of the hashes we
were looking for (if we were looking at the right info). This is where
the conflicting information comes into play, because only from the
domain specific ldb file in sam.ldb.d/ were we able to find the
unicodePwd, which I can't even verify is being used anymore, nor can I
peg down how it's calculated in a way that we can just swap
easily/safely without breaking things like our Azure sync.

> There is nothing stopping you creating users with a password and then
> changing it again once everything is set up, but there numerous ways of
> creating user homedirs etc as the user logs in for the first time.
Right, well when we need to specifically create a user, this isn't a
problem, and it's what we do. I was talking more about when we need to
set up a new workstation for an existing user, we do a LOT of prep and
customization for the users here, dealing with a lot of stupidity.
Regardless it's the concept of being able to log in as that user to
perform tasks, then revert the password so they don't have to reset it
on next login.

> I think what is going on here is that you are thinking in NT4-style
> domain setup and you should be thing in AD domain setup.
Can you fill me in on the different lines of thought here? I was a bit
too young to work with NT4 domains, so AD style (with Windows Server
2012 and above), or what I've done with this AD DC setup through Samba
is the most I've worked with domain setups. I know NT4 was an older
style of domain, and a lot less secure (Based on what I was reading,
things like smbpasswd, pdbedit, etc. being tools to work-around
accomplish what I'm trying to do), but I guess I don't really know the
key differences in mentality, if you feel like giving a brief history
lesson for me.


More information about the samba mailing list