[Samba] insert password hash
Marcos Ariel Negrini
mnegrini at afip.gob.ar
Wed Nov 30 14:58:41 UTC 2022
Hello:
I found another script that does it using ldapmodify, I could check it
with kinit and it gives ok...
user=123456789
password=password
password='"'$password'"'
u16pass=`printf $password|iconv -f ascii -t UTF16LE|base64`
echo "dn: CN=$user,OU=user,DC=company,DC=com" >ldap.ldif
echo "changetype: modify" >>ldap.ldif
echo "replace: unicodePwd" >>ldap.ldif
echo "unicodePwd:: $u16pass" >>ldap.ldif
ldapmodify -v -c -a -f ldap.ldif -H ldaps://server.company.com -D
administrator at samba.company.com -W
rm ldap.ldif
for now the tests they gave give me ok.. so I understand that the way to
change password applies well in samba4.
I am seeing how the authentication of the ldapmodify command works with
certificate, if someone has an example it would be appreciated.
Regards
Marcos Negrini
El 30/11/22 a las 10:47, Marcos Ariel Negrini via samba escribió:
> Hello:
> I have implemented an Ad samba4 and for process issues I need the user
> password changes to be done from an external system. Currently the
> password changes are made from that system by connecting to the ldaps
> port, but our idea is that the operations are centralized in an api
> rest and we are trying to make a method that receives the hash from
> the external system and apply it in samba4 (for audit issues we do not
> want to receive the flat password with any reversible method that
> involves the administration in some instance of our part of the flat
> password).
>
> I have been testing to generate the hash and insert it through
> "ldbmodify" with bash:
>
>
> user=123456789
>
> user_pass="password"
>
> UNICODEPWD=$(echo -n "\"$user_pass\"" | iconv -f UTF-8 -t UTF-16LE |
> base64 -w 0)
>
> ldbmodify -H /.../sam.ldb
> --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
> dn: CN=$user,OU=user,DC=company,DC=com
> changetype: modify
> delete: unicodePwd
> -
> add: unicodePwd
> unicodePwd:: $UNICODEPWD
> EOF
>
>
> My question is if the script is correct, because even if I apply the
> new password, when I want to test with kinit it doesn't give ok.
> I was reading a thread on the list but I was not clear if the method
> is correct or just suggestions to try.
> I was also trying to identify in the samba-tool source code how it
> performs the password change (setpassword) but I did not find the code
> it uses.
> Regards
> Marcos Negrini
More information about the samba
mailing list