samba - Jan 2023 - Directly setting unicodePwd - better type of hash?

Hi,

we sync our password from other system by directly setting unicodePwd in samba
database file. We would like to drop the insecure hash stored in other system
and replace it with something newer and more robust.

Documentation on page
https://samba.tranquil.it/doc/en/samba_fundamentals/about_password_hash.html#propagating-a-password-change-from-samba-ad-to-an-openldap
says "It is now possible to have new types of hashes generated when a user
changes their password, such as crypt-ssha256 or crypt-ssha512", but I
haven't found much info for this.

Is it possible set different kind of hash in samba's database? What would
that look like? Something like '{SSHA512}XXXXXXX/XXX' (simillar to
ldap)?

Thanks

Does anyone know how to completely remove the Computer SID of a Demoted 
DC? As in, another DC has taken it's place, the system is down and 
offline, but if it rejoins, it will not get the SID entry it had before?

On 05/01/2023 10:13, Edward Graham via samba wrote:
> Hi,
> 
> we sync our password from other system by directly setting unicodePwd in
samba database file. We would like to drop the insecure hash stored in other
system and replace it with something newer and more robust.
> 
> Documentation on page
https://samba.tranquil.it/doc/en/samba_fundamentals/about_password_hash.html#propagating-a-password-change-from-samba-ad-to-an-openldap
says "It is now possible to have new types of hashes generated when a user
changes their password, such as crypt-ssha256 or crypt-ssha512", but I
haven't found much info for this.
> 
> Is it possible set different kind of hash in samba's database? What
would that look like? Something like '{SSHA512}XXXXXXX/XXX' (simillar to
ldap)?
> 
> Thanks
> 
Sorry, but you are supposed to sync from AD to other systems, I do not 
think it will work the other way around.

Tranqui-it provides a script to sync passwords, have a search on their site.

Rowland

On Thu, 2023-01-05 at 10:13 +0000, Edward Graham via samba
wrote:
> Hi,
> 
> we sync our password from other system by directly setting unicodePwd
> in samba database file. We would like to drop the insecure hash
> stored in other system and replace it with something newer and more
> robust.
> 
> Documentation on page 
>
https://samba.tranquil.it/doc/en/samba_fundamentals/about_password_hash.html#propagating-a-password-change-from-samba-ad-to-an-openldap
>   says "It is now possible to have new types of hashes generated when
> a user changes their password, such as crypt-ssha256 or crypt-
> ssha512", but I haven't found much info for this.
> 
> Is it possible set different kind of hash in samba's database? What
> would that look like? Something like '{SSHA512}XXXXXXX/XXX'
(simillar
> to ldap)?
> 
> Thanks
Currently we can't directly set only the crypt() based passwords. The
authentication maths would only work for LDAP Simple binds if we did.

I do think that would be a useful feature, Samba is not only to support
Windows Kerberos clients, some may wish to use it simply as a easy-to-
set-up LDAP target for example, given all our useful tools around
password policy and quality etc.

It certainly would be a really useful migration tool, from (say)
OpenLDAP (and on first LDAP bind we could fill in the other hashes).

What we have finally got as a feature is the ability to not store the
NT hash, which is very weak, for user accounts.  Naturally this breaks
NTLM authentication, but for some use cases this is quite fine.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst.Net Limited

Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source
Solutions