samba - Aug 2017 - retrieve machine password in current Samba?

We have a wireless network that uses 802.1x authentication, in which domain
joined computers use their machine credentials to connect.


Windows machines do this automatically, and until recently Linux computers could
join using wicd, wpa-supplicant, and a simple script that would retrieve the
machine password with tdbdump.


( specifically tdbdump -k SECRETS/MACHINE_PASSWORD/DOMAIN
/var/lib/samba/private/secrets.tdb )


On older machines running Samba 4.2 (Debian Jessie) tdbdump gives a working
password such as this:


]f2>lOR4NA~hbv\00  where the actual password is  ]f2>lOR4NA~hbv


On newer machines running Samba 4.5 (Debian Stretch) tdbdump gives an encrypted
password such as this:


\EE\A9\8D\EF\AD\AC\E2\A1\9D\E2\A0\8C\E3\96\8E\E7\B0\A8\EE\97\AA\E2\8E\9F\E2\A2\8F\EB\85\BF\EE\B7\8B\EA\A7\A9\EA\97\B8\D2\86\E6\83\AB\EE\82\AA\E3\A9\BB\E3\8A\8D\E2\86\9B\E2\8C\92\E6\8C\A6\EA\85\A5\E6\8F\82\EF\96\94\EF\9C\82\E7\8D\B3\E7\8F\93\E7\B8\AA\E7\A7\B7\EE\88\96\E2\A3\9B\EB\AA\B0\E6\B6\A7\EF\B6\B7\EA\A2\AD\EF\A8\88\EA\BB\B6\EE\A4\9A\E3\99\A6\EE\93\96\E2\BD\84\EB\95\93\E3\87\A2\E2\9D\98\EE\BE\8A\E6\8F\A2\EF\AE\91\EB\B5\AA\E7\A5\AF\E7\A4\A6\CD\A5\EF\80\9A\E3\AC\A9\E6\95\9E\E3\A9\BE\EE\94\82\EA\BF\94\E2\B7\8E\E2\94\96\EF\9B\BB\EA\A4\BB\E2\8B\9A\E6\B7\9C\E6\97\B7\E3\8C\BF\E3\98\9A\EA\88\89\E3\94\91\E7\88\83\E7\95\A3\EE\B6\93\EB\A2\9F\E3\94\85\EF\97\8E\E3\BE\8B\EB\BF\8A\E7\BB\8D\E7\A5\95\EB\89\83\E3\8F\A7\EA\8B\9C\EA\BA\BD\E3\BA\B5\E2\B7\BC\E7\B4\8A\EA\83\97\EB\89\8B\EE\9B\91\E2\BA\9D\EE\AC\B4\E3\A5\84\EE\A0\A1\EE\B0\A7\EF\90\AC\EF\8F\8C\E3\AB\A5\E6\96\81\E7\A6\83\EA\80\BB\E2\B9\8B\E6\B2\9F\EF\91\8E\C7\AA\E7\AB\B0\EB\A6\B7\E7\BB\B4\E6\AA\87\E2\B1\94\E2\A2\90\E7\93\BC\EE\AD\AF\E7\89\A1\E6\BA\BC\EB\85\92\EA\A2\97\EF\82\9B\E3\A4\B8\EF\AE\9B\EE\86\9B\EB\82\80\EB\99\9C\E2\A5\AB\EB\A7\8E\EA\89\89\EA\8E\B6\E3\A7\95\E7\B5\A0\E7\BF\B9>\EB\AC\8A\E3\8E\A4\E7\90\98\EA\92\B0\EF\8C\9A\E3\B4\BE\EE\8A\A5\E6\87\B0\E7\BE\90\EF\8F\95\EE\92\88\EB\88\88\E3\B2\BB\E6\97\B7\E3\98\A8\EB\A3\BD\EF\83\AA\EE\B6\B4\E2\A3\B6\E6\8C\8C\EB\83\BD\EF\A1\A8\EB\8A\A7\E3\89\92\E2\86\93\EA\BD\84\E6\83\A4\E2\B8\B5\EA\9A\A2\EB\8B\BE\EE\B5\B5\EB\9D\A3\EF\82\AF\E6\B2\A8\E3\AB\BB\EE\A6\8A\E6\A5\81\E6\A8\B3\D0\97\E6\82\8D\EE\B7\B6\EB\87\9E\EA\AE\BF\EE\A8\8D\EB\9F\8C\EA\A8\AD\EF\B8\9E\EE\BC\85\E6\AD\A1\E7\92\9D\E3\AC\9F\D9\BD\E6\BB\B1\EA\AE\AD\E3\BC\AB\CF\92\E2\8A\8D\E6\AE\8C\00


This second "password" isn't usable by wicd.


The Samba wiki still refers to getting the current machine password from
secrets.tdb:  https://wiki.samba.org/index.php/Keytab_Extraction  That wiki link
is about generating keytabs but the process used to retrieve the password is
just like the one I was using.


Is there a currently supported method for retrieving the machine password in a
form that's usable by external scripts such as wicd?


Thanks!


James

On Fri, Aug 25, 2017 at 10:06:59PM +0000, James Zuelow via samba
wrote:
> We have a wireless network that uses 802.1x authentication, in which domain
joined computers use their machine credentials to connect.
> 
> 
> Windows machines do this automatically, and until recently Linux computers
could join using wicd, wpa-supplicant, and a simple script that would retrieve
the machine password with tdbdump.
> 
> 
> ( specifically tdbdump -k SECRETS/MACHINE_PASSWORD/DOMAIN
/var/lib/samba/private/secrets.tdb )
> 
> 
> On older machines running Samba 4.2 (Debian Jessie) tdbdump gives a working
password such as this:
> 
> 
> ]f2>lOR4NA~hbv\00  where the actual password is  ]f2>lOR4NA~hbv
> 
> 
> On newer machines running Samba 4.5 (Debian Stretch) tdbdump gives an
encrypted password such as this:
> 
> 
>
\EE\A9\8D\EF\AD\AC\E2\A1\9D\E2\A0\8C\E3\96\8E\E7\B0\A8\EE\97\AA\E2\8E\9F\E2\A2\8F\EB\85\BF\EE\B7\8B\EA\A7\A9\EA\97\B8\D2\86\E6\83\AB\EE\82\AA\E3\A9\BB\E3\8A\8D\E2\86\9B\E2\8C\92\E6\8C\A6\EA\85\A5\E6\8F\82\EF\96\94\EF\9C\82\E7\8D\B3\E7\8F\93\E7\B8\AA\E7\A7\B7\EE\88\96\E2\A3\9B\EB\AA\B0\E6\B6\A7\EF\B6\B7\EA\A2\AD\EF\A8\88\EA\BB\B6\EE\A4\9A\E3\99\A6\EE\93\96\E2\BD\84\EB\95\93\E3\87\A2\E2\9D\98\EE\BE\8A\E6\8F\A2\EF\AE\91\EB\B5\AA\E7\A5\AF\E7\A4\A6\CD\A5\EF\80\9A\E3\AC\A9\E6\95\9E\E3\A9\BE\EE\94\82\EA\BF\94\E2\B7\8E\E2\94\96\EF\9B\BB\EA\A4\BB\E2\8B\9A\E6\B7\9C\E6\97\B7\E3\8C\BF\E3\98\9A\EA\88\89\E3\94\91\E7\88\83\E7\95\A3\EE\B6\93\EB\A2\9F\E3\94\85\EF\97\8E\E3\BE\8B\EB\BF\8A\E7\BB\8D\E7\A5\95\EB\89\83\E3\8F\A7\EA\8B\9C\EA\BA\BD\E3\BA\B5\E2\B7\BC\E7\B4\8A\EA\83\97\EB\89\8B\EE\9B\91\E2\BA\9D\EE\AC\B4\E3\A5\84\EE\A0\A1\EE\B0\A7\EF\90\AC\EF\8F\8C\E3\AB\A5\E6\96\81\E7\A6\83\EA\80\BB\E2\B9\8B\E6\B2\9F\EF\91\8E\C7\AA\E7\AB\B0\EB\A6\B7\E7\BB\B4\E6\AA\87\E2\B1\94\E2\A2\90\E7\93\BC\EE\AD\AF\E7\89\A1\E6\BA\BC\EB\85\92\EA\A2\97\EF\82\9B\E3\A4\B8\EF\AE\9B\EE\86\9B\EB\82\80\EB\99\9C\E2\A5\AB\EB\A7\8E\EA\89\89\EA\8E\B6\E3\A7\95\E7\B5\A0\E7\BF\B9>\EB\AC\8A\E3\8E\A4\E7\90\98\EA\92\B0\EF\8C\9A\E3\B4\BE\EE\8A\A5\E6\87\B0\E7\BE\90\EF\8F\95\EE\92\88\EB\88\88\E3\B2\BB\E6\97\B7\E3\98\A8\EB\A3\BD\EF\83\AA\EE\B6\B4\E2\A3\B6\E6\8C\8C\EB\83\BD\EF\A1\A8\EB\8A\A7\E3\89\92\E2\86\93\EA\BD\84\E6\83\A4\E2\B8\B5\EA\9A\A2\EB\8B\BE\EE\B5\B5\EB\9D\A3\EF\82\AF\E6\B2\A8\E3\AB\BB\EE\A6\8A\E6\A5\81\E6\A8\B3\D0\97\E6\82\8D\EE\B7\B6\EB\87\9E\EA\AE\BF\EE\A8\8D\EB\9F\8C\EA\A8\AD\EF\B8\9E\EE\BC\85\E6\AD\A1\E7\92\9D\E3\AC\9F\D9\BD\E6\BB\B1\EA\AE\AD\E3\BC\AB\CF\92\E2\8A\8D\E6\AE\8C\00
> 
> 
> This second "password" isn't usable by wicd.
> 
> 
> The Samba wiki still refers to getting the current machine password from
secrets.tdb:  https://wiki.samba.org/index.php/Keytab_Extraction  That wiki link
is about generating keytabs but the process used to retrieve the password is
just like the one I was using.
> 
> 
> Is there a currently supported method for retrieving the machine password
in a form that's usable by external scripts such as wicd?
Looking at the code I think it's now returning the plaintext password,
whereas previously it only stored the password hash. You'll have to hash
to make it useful by wicd it seems (I'm guessing wicd expects the hash,
not the plaintext).

> -----Original Message-----
> From: Jeremy Allison [mailto:jra at samba.org]
> Sent: Friday, August 25, 2017 3:48 PM
> Looking at the code I think it's now returning the plaintext password,
whereas
> previously it only stored the password hash. You'll have to hash to
make it
> useful by wicd it seems (I'm guessing wicd expects the hash, not the
plaintext).
OK.

I guess I had that backwards.  I thought that the new version
(\EE\A9\8D\EF\AD\AC...) was giving me an encrypted (or hashed I guess) value,
and the old version ( ]f2>lOR4NA~hbv ) was the plaintext password.

I'll see if I can't translate that over somehow.  

Thank you!

James