Hi Rowland, all, On 10/9/19 9:11 AM, Rowland penny via samba wrote:> You could run something like this on a Samba AD DC: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'dc=samdom,dc=example,dc=com' -s sub > '(&(objectclass=user)(samaccountname=rowland))' unicodePwd > > This will get you a users password, you just need to run it through the > reverse of what I posted earlier to see the actual users password.Out of curiosity I tried that, and wrote the following little bash script:> PASSWORD="zKY\.Jp4jdiJ\_" > UNICODEPW_GENERATED="$(echo -n "$PASSWORD" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0)" > PASSWORD_DECODED_FROM_UNICODEPW="$(echo -n $UNICODEPW_GENERATED | base64 -d -w 0 | iconv -t UTF-8 -f UTF-16LE)" > > echo "Password: $PASSWORD" > echo "Generated unicodePwd: $UNICODEPW_GENERATED" > echo "Decoded password: $PASSWORD_DECODED_FROM_UNICODEPW"This gives normal looking output:> Password: zKY\.Jp4jdiJ\_ > Generated unicodePwd: egBLAFkAXAAuAEoAcAA0AGoAZABpAEoAXABfAA=> Decoded password: zKY\.Jp4jdiJ\_HOWEVER: the AD unicodePwd field for this testuser with that password (set with samba-tool) is something different:> ~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=testsamba,dc=company,dc=com' -s sub '(&(objectclass=user)(samaccountname=test))' unicodePwd > # record 1 > dn: CN=ted t. test,CN=Users,DC=testsamba,DC=company,DC=com > unicodePwd:: eD1jkPHBRopHzc00qaK6fw=so the actual unicodePwd field in AD is not what the script generated. I tried various users, and confirmed that the AD unicodePwd actually works by logging in as my test users. So... I am wondering what is wrong in my testing/logic..? Thanks for the interesting discussion! MJ
On 10/10/2019 12:55, mj via samba wrote:> Hi Rowland, all, > > On 10/9/19 9:11 AM, Rowland penny via samba wrote: >> You could run something like this on a Samba AD DC: >> >> ldbsearch -H /var/lib/samba/private/sam.ldb -b >> 'dc=samdom,dc=example,dc=com' -s sub >> '(&(objectclass=user)(samaccountname=rowland))' unicodePwd >> >> This will get you a users password, you just need to run it through >> the reverse of what I posted earlier to see the actual users password. > > Out of curiosity I tried that, and wrote the following little bash > script: > >> PASSWORD="zKY\.Jp4jdiJ\_" >> UNICODEPW_GENERATED="$(echo -n "$PASSWORD" | iconv -f UTF-8 -t >> UTF-16LE | base64 -w 0)"I posted: UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0) Believe it or not, the two escaped double quotes are a must, they become part of the password, AD expects them. Rowland
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: donderdag 10 oktober 2019 14:42 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] user password hash > > On 10/10/2019 12:55, mj via samba wrote: > > Hi Rowland, all, > > > > On 10/9/19 9:11 AM, Rowland penny via samba wrote: > >> You could run something like this on a Samba AD DC: > >> > >> ldbsearch -H /var/lib/samba/private/sam.ldb -b > >> 'dc=samdom,dc=example,dc=com' -s sub > >> '(&(objectclass=user)(samaccountname=rowland))' unicodePwd > >> > >> This will get you a users password, you just need to run > it through > >> the reverse of what I posted earlier to see the actual > users password. > > > > Out of curiosity I tried that, and wrote the following little bash > > script: > > > >> PASSWORD="zKY\.Jp4jdiJ\_" > >> UNICODEPW_GENERATED="$(echo -n "$PASSWORD" | iconv -f UTF-8 -t > >> UTF-16LE | base64 -w 0)" > > I posted: > > UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | > base64 -w 0) > > Believe it or not, the two escaped double quotes are a must, > they become > part of the password, AD expects them.... That i did not know also..> > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland,
Can you test this:
echo -n $(ldbsearch -H /var/lib/samba/private/sam.ldb -b
'dc=CHANGE_BASE' -s sub
'(&(objectclass=user)(samaccountname=CHANGE_USERNAME))' unicodePwd
|grep unicode |awk '{ print $NF }') | base64 -d -w 0 | iconv -t UTF-8 -f
UTF-16LE
The results are chinees characters.
But if i put it in the example you showed, it shows the correct things.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: donderdag 10 oktober 2019 14:45
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] user password hash
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland penny via samba
> > Verzonden: donderdag 10 oktober 2019 14:42
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] user password hash
> >
> > On 10/10/2019 12:55, mj via samba wrote:
> > > Hi Rowland, all,
> > >
> > > On 10/9/19 9:11 AM, Rowland penny via samba wrote:
> > >> You could run something like this on a Samba AD DC:
> > >>
> > >> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> > >> 'dc=samdom,dc=example,dc=com' -s sub
> > >> '(&(objectclass=user)(samaccountname=rowland))'
unicodePwd
> > >>
> > >> This will get you a users password, you just need to run
> > it through
> > >> the reverse of what I posted earlier to see the actual
> > users password.
> > >
> > > Out of curiosity I tried that, and wrote the following
> little bash
> > > script:
> > >
> > >> PASSWORD="zKY\.Jp4jdiJ\_"
> > >> UNICODEPW_GENERATED="$(echo -n "$PASSWORD" |
iconv -f UTF-8 -t
> > >> UTF-16LE | base64 -w 0)"
> >
> > I posted:
> >
> > UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f
UTF-8 -t UTF-16LE |
> > base64 -w 0)
> >
> > Believe it or not, the two escaped double quotes are a must,
> > they become
> > part of the password, AD expects them.
>
> ... That i did not know also..
>
>
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>