[Samba] Import of exported unicodePwd does not update Kerberos password
Rowland Penny
rpenny at samba.org
Mon Dec 2 12:55:22 UTC 2024
On Mon, 2 Dec 2024 10:54:38 +0100
"Emil.s via samba" <samba at lists.samba.org> wrote:
> Hello,
>
> I'm troubleshooting an old backup script that exports and imports
> users from a Samba database using `samba-tool`.
>
> It's implemented so that passwords are exported using "samba-tool user
> getpassword {username} --attributes=unicodePwd".
> On the import side, an LDIF file is created in the following format:
> ```
> dn: CN={username},OU=Users,DC=example,DC=com
> changetype: modify
> replace: unicodePwd
> unicodePwd:: {unicodePwd_string_here}
> ```
> This file is then applied using `ldbmodify -H
> /var/lib/samba/private/sam.ldb
> --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0`.
>
> However, this no longer seems to work, at least not for Kerberos. I've
> found and tried the `--pw-nt-hash` option, but it doesn't make a
> difference.
>
> After applying the password, I can "login" using "smbclient -L
> //localhost -U {username}".
> But if I try to issue a Kerberos ticket using "kinit {username}" I
> get a "kinit: Password incorrect while getting initial credentials"
> error.
>
> However, if I generate a new password string and apply it without the
> `--controls`, or set a password using "samba-tool user setpassword",
> everything works as usual.
>
> Has anything changed here during the last few years?
Yes, quite a lot.
If you follow the way that Microsoft does things, you aren't really
supposed to be able to read the contents of the unicodePwd attribute,
it is supposed to be write-only. You can read the attribute on Samba,
but what you get back isn't the password, is a 64bit hash of the
password.
> And what would
> be the correct way to restore a password that was previously exported
> using samba-tool?
There isn't one, not unless you know the actual plain password and you
can no longer obtain this. You can set a new password and force the
user to change it at next logon.
> Or is there any new or prefered method to create a backup of a user
> including the password?
Why would you backup a user ?
You should only backup the domain and then only use such a backup in
catastrophic cases, such as all your DCs failing at once. The correct
backup is to run multiple DCs.
Rowland
More information about the samba
mailing list