[Samba] insert password hash

Marcos Ariel Negrini mnegrini at afip.gob.ar
Wed Nov 30 14:58:41 UTC 2022 

Hello:
I found another script that does it using ldapmodify, I could check it 
with kinit and it gives ok...

user=123456789
password=password
password='"'$password'"'
u16pass=`printf $password|iconv -f ascii -t UTF16LE|base64`
echo "dn: CN=$user,OU=user,DC=company,DC=com" >ldap.ldif
echo "changetype: modify" >>ldap.ldif
echo "replace: unicodePwd" >>ldap.ldif
echo "unicodePwd:: $u16pass" >>ldap.ldif
ldapmodify -v -c -a -f ldap.ldif -H ldaps://server.company.com -D 
administrator at samba.company.com -W
rm ldap.ldif

for now the tests they gave give me ok.. so I understand that the way to 
change password applies well in samba4.

I am seeing how the authentication of the ldapmodify command works with 
certificate, if someone has an example it would be appreciated.

Regards
Marcos Negrini

El 30/11/22 a las 10:47, Marcos Ariel Negrini via samba escribió:
> Hello:
> I have implemented an Ad samba4 and for process issues I need the user 
> password changes to be done from an external system. Currently the 
> password changes are made from that system by connecting to the ldaps 
> port, but our idea is that the operations are centralized in an api 
> rest and we are trying to make a method that receives the hash from 
> the external system and apply it in samba4 (for audit issues we do not 
> want to receive the flat password with any reversible method that 
> involves the administration in some instance of our part of the flat 
> password).
>
> I have been testing to generate the hash and insert it through 
> "ldbmodify" with bash:
>
>
> user=123456789
>
> user_pass="password"
>
> UNICODEPWD=$(echo -n "\"$user_pass\"" | iconv -f UTF-8 -t UTF-16LE | 
> base64 -w 0)
>
> ldbmodify -H /.../sam.ldb 
> --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
> dn: CN=$user,OU=user,DC=company,DC=com
> changetype: modify
> delete: unicodePwd
> -
> add: unicodePwd
> unicodePwd:: $UNICODEPWD
> EOF
>
>
> My question is if the script is correct, because even if I apply the 
> new password, when I want to test with kinit it doesn't give ok.
> I was reading a thread on the list but I was not clear if the method 
> is correct or just suggestions to try.
> I was also trying to identify in the samba-tool source code how it 
> performs the password change (setpassword) but I did not find the code 
> it uses.
> Regards
> Marcos Negrini

More information about the samba mailing list