[Samba] Retrieve winbind machine password

Pavel Filipenský pfilipensky at samba.org
Tue Oct 24 07:59:09 UTC 2023 

On 10/23/23 11:06, Kees van Vloten wrote:
>
> Op 23-10-2023 om 10:58 schreef Pavel Filipenský:
>>
>> On 10/22/23 13:36, Kees van Vloten via samba wrote:
>>>
>>> Op 22-10-2023 om 03:43 schreef Andrew Bartlett:
>>>> On Sat, 2023-10-21 at 11:41 +0200, Kees van Vloten via samba wrote:
>>>>> Hi Team,
>>>>>
>>>>>
>>>>> I am currently looking into enterprise wifi with the machine 
>>>>> account. I
>>>>> did find some clues on the internet but the peice that is missing 
>>>>> is the
>>>>> password of the machine account.
>>>>>
>>>>> Is it possible foor user root to extract that password in clear text
>>>>> from the secrets database where winbind has stored it?
>>>>>
>>>>> /var/lig/samba/private/secrets.tdb  seems to contain the info and
>>>>> tdbdump can output it, but some more decoding is needed before it 
>>>>> can be
>>>>> used in the NetworkManager configuration. What are the commands to 
>>>>> get
>>>>> that done?
>>>> People used to do this with tools that read that DB, which is of 
>>>> course
>>>> possible, but we have this script:
>>>>
>>>>
>>>>   ./source4/scripting/bin/machineaccountpw
>>>>
>>>> Note that the password is very random these days.
>>>>
>>>> But please do be aware that MSCHAPv2 is still NTLMv1 under the hood.
>>>> Better than plaintext if you have the certificate checking done
>>>> properly, but if you can do real certificates, do that!
>>>
>>> Thanks Andrew,
>>>
>>> I run my own CA and verify all certificates, that part is taken care 
>>> of :-)
>>>
>>> This link to MIT's Eduroam  knowledgebase confirms your statement: 
>>> http://kb.mit.edu/confluence/pages/viewpage.action?pageId=152599592&focusedCommentId=154190347#comment-154190347 
>>>
>>>
>>> One more question: Would it be possible to trigger a script when 
>>> winbind changes the machine password?
>>>
>>
>> Hi Kees,
>>
>> I am working on a related topic - keytab update when machine account 
>> password is changed: 
>> https://gitlab.com/samba-team/samba/-/merge_requests/1999
>>
>> I will try to add a 'script triggering' once the keytab update is done.
>>
>>
>> Pavel
>>
> Thanks Pavel, that would make it a lot easier!
>
> It looks like the MR has been open for a really long time. Do you 
> expect to finish and get it merged any time soon?


Yes, I am working on it right now. It should take a couple of weeks...


--Pavel


>
> - Kees.
>
>>
>>>
>>> That would help to update the wifi configuration on password change 
>>> and prevents lockout on the AD-side to to wrong password.
>>>
>>> - Kees.
>>>
>>>> Andrew
>>>

More information about the samba mailing list