[Samba] insert password hash

Rowland Penny rpenny at samba.org
Wed Nov 30 14:59:44 UTC 2022



On 30/11/2022 13:47, Marcos Ariel Negrini via samba wrote:
> Hello:
> I have implemented an Ad samba4 and for process issues I need the user 
> password changes to be done from an external system. Currently the 
> password changes are made from that system by connecting to the ldaps 
> port, but our idea is that the operations are centralized in an api rest 
> and we are trying to make a method that receives the hash from the 
> external system and apply it in samba4 (for audit issues we do not want 
> to receive the flat password with any reversible method that involves 
> the administration in some instance of our part of the flat password).
> 
> I have been testing to generate the hash and insert it through 
> "ldbmodify" with bash:

It sounds like you are taking the plain password and hashing that before 
converting it to a unicode password, if so, that isn't going to work, 
you are setting the 'hash' as the password and not the plain password.

> 
> 
> user=123456789
> 
> user_pass="password"
> 
> UNICODEPWD=$(echo -n "\"$user_pass\"" | iconv -f UTF-8 -t UTF-16LE | 
> base64 -w 0)
> 
> ldbmodify -H /.../sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 
> << EOF
> dn: CN=$user,OU=user,DC=company,DC=com
> changetype: modify
> delete: unicodePwd
> -
> add: unicodePwd
> unicodePwd:: $UNICODEPWD
> EOF
> 
> 
> My question is if the script is correct, because even if I apply the new 
> password, when I want to test with kinit it doesn't give ok.
> I was reading a thread on the list but I was not clear if the method is 
> correct or just suggestions to try.
> I was also trying to identify in the samba-tool source code how it 
> performs the password change (setpassword) but I did not find the code 
> it uses.
> Regards
> Marcos Negrini

Try my version:

#!/bin/bash

_USER="$1"
_USER_PW="$2"

# CHANGE THESE.
# Set path to sam.ldb
ldbdb="/path/to/sam.ldb
# ldap suffix
SUFFIX="DC=samdom,DC=example,DC=com"

# Find username : $_USER must exist in AD !
_ENTRY=$($LDBSEARCHBIN --url=$ldbdb -b "$SUFFIX" -s sub 
"(&(objectClass=user)(sAMAccountName=$_USER))" dn | grep "dn: ")
if [ -z "$_ENTRY" ]
then
	echo "User $_USER does not exist in AD"
	exit 1
fi

# Create unicode password
_UNICODEPW=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE | 
base64 -w 0)

# Change users password in AD
echo "$_ENTRY
changetype: modify
replace: unicodePwd
unicodePwd::$_UNICODEPW
-" | ldbmodify --url=$ldbdb --use-kerberos=required
ret="$?"
if [ $ret -ne 0 ]
then
	echo "Error changing user $_USER's Password in AD"
	exit 1
fi

echo "Successfully changed Password for $_USER in AD"

exit 0

You will have to change a couple of lines before running the script, the 
path to sam.ldb and set the ldap suffix. You will also require a ticket 
for a Domain Admin and run the script as that Admin.
You just run the script as:

login as Domain Admin
kinit
changepass.sh fred H1sP4ssW0rd

Rowland



More information about the samba mailing list