[Samba] insert password hash
Rowland Penny
rpenny at samba.org
Wed Nov 30 14:59:44 UTC 2022
On 30/11/2022 13:47, Marcos Ariel Negrini via samba wrote:
> Hello:
> I have implemented an Ad samba4 and for process issues I need the user
> password changes to be done from an external system. Currently the
> password changes are made from that system by connecting to the ldaps
> port, but our idea is that the operations are centralized in an api rest
> and we are trying to make a method that receives the hash from the
> external system and apply it in samba4 (for audit issues we do not want
> to receive the flat password with any reversible method that involves
> the administration in some instance of our part of the flat password).
>
> I have been testing to generate the hash and insert it through
> "ldbmodify" with bash:
It sounds like you are taking the plain password and hashing that before
converting it to a unicode password, if so, that isn't going to work,
you are setting the 'hash' as the password and not the plain password.
>
>
> user=123456789
>
> user_pass="password"
>
> UNICODEPWD=$(echo -n "\"$user_pass\"" | iconv -f UTF-8 -t UTF-16LE |
> base64 -w 0)
>
> ldbmodify -H /.../sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0
> << EOF
> dn: CN=$user,OU=user,DC=company,DC=com
> changetype: modify
> delete: unicodePwd
> -
> add: unicodePwd
> unicodePwd:: $UNICODEPWD
> EOF
>
>
> My question is if the script is correct, because even if I apply the new
> password, when I want to test with kinit it doesn't give ok.
> I was reading a thread on the list but I was not clear if the method is
> correct or just suggestions to try.
> I was also trying to identify in the samba-tool source code how it
> performs the password change (setpassword) but I did not find the code
> it uses.
> Regards
> Marcos Negrini
Try my version:
#!/bin/bash
_USER="$1"
_USER_PW="$2"
# CHANGE THESE.
# Set path to sam.ldb
ldbdb="/path/to/sam.ldb
# ldap suffix
SUFFIX="DC=samdom,DC=example,DC=com"
# Find username : $_USER must exist in AD !
_ENTRY=$($LDBSEARCHBIN --url=$ldbdb -b "$SUFFIX" -s sub
"(&(objectClass=user)(sAMAccountName=$_USER))" dn | grep "dn: ")
if [ -z "$_ENTRY" ]
then
echo "User $_USER does not exist in AD"
exit 1
fi
# Create unicode password
_UNICODEPW=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE |
base64 -w 0)
# Change users password in AD
echo "$_ENTRY
changetype: modify
replace: unicodePwd
unicodePwd::$_UNICODEPW
-" | ldbmodify --url=$ldbdb --use-kerberos=required
ret="$?"
if [ $ret -ne 0 ]
then
echo "Error changing user $_USER's Password in AD"
exit 1
fi
echo "Successfully changed Password for $_USER in AD"
exit 0
You will have to change a couple of lines before running the script, the
path to sam.ldb and set the ldap suffix. You will also require a ticket
for a Domain Admin and run the script as that Admin.
You just run the script as:
login as Domain Admin
kinit
changepass.sh fred H1sP4ssW0rd
Rowland
More information about the samba
mailing list