[Samba] insert password hash

[Andrew Bartlett]

On Wed, 2022-11-30 at 10:47 -0300, Marcos Ariel Negrini via samba
wrote:
> Hello:
> I have implemented an Ad samba4 and for process issues I need the user 
> password changes to be done from an external system. Currently the 
> password changes are made from that system by connecting to the ldaps 
> port, but our idea is that the operations are centralized in an api rest 
> and we are trying to make a method that receives the hash from the 
> external system and apply it in samba4 (for audit issues we do not want 
> to receive the flat password with any reversible method that involves 
> the administration in some instance of our part of the flat password).

The script you sent is almost correct, no need for the OID however as
it send Samba the plaintext password.

It is critical you send Samba the plaintext password, it is the trusted
core of your authentiation system so you can trust it with it, and it
means we can construct strong hashes with it.

If you only send Samba the NT hash, then we can't offer strong
authentication over Kerberos.

If security is a major concern, then you actually really want to send
us the plaintext, as we can in Samba 4.17 be configured not to store it
at all, as it is easily reversed (this will disable NTLM). 

Andrew Bartlett

-- 
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba