[Samba] insert password hash

Marcos Ariel Negrini mnegrini at afip.gob.ar
Wed Nov 30 13:47:26 UTC 2022

I have implemented an Ad samba4 and for process issues I need the user 
password changes to be done from an external system. Currently the 
password changes are made from that system by connecting to the ldaps 
port, but our idea is that the operations are centralized in an api rest 
and we are trying to make a method that receives the hash from the 
external system and apply it in samba4 (for audit issues we do not want 
to receive the flat password with any reversible method that involves 
the administration in some instance of our part of the flat password).

I have been testing to generate the hash and insert it through 
"ldbmodify" with bash:



UNICODEPWD=$(echo -n "\"$user_pass\"" | iconv -f UTF-8 -t UTF-16LE | 
base64 -w 0)

ldbmodify -H /.../sam.ldb --controls=local_oid: 
<< EOF
dn: CN=$user,OU=user,DC=company,DC=com
changetype: modify
delete: unicodePwd
add: unicodePwd
unicodePwd:: $UNICODEPWD

My question is if the script is correct, because even if I apply the new 
password, when I want to test with kinit it doesn't give ok.
I was reading a thread on the list but I was not clear if the method is 
correct or just suggestions to try.
I was also trying to identify in the samba-tool source code how it 
performs the password change (setpassword) but I did not find the code 
it uses.
Marcos Negrini

More information about the samba mailing list