William David Edwards
2024-Oct-27 12:58 UTC
[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
Hi, I'm tying to set user's LDAP passwords using LDAP. `samba-tool user setpassword` does so by setting the write-only `unicodePwd` attribute, but turning it into binary and Base64-encoding it first: ``` if not isinstance(password, str): pw = password.decode('utf-8') else: pw = password pw = ('"' + pw + '"').encode('utf-16-le') setpw = """ dn: %s changetype: modify replace: unicodePwd unicodePwd:: %s """ % (user_dn, base64.b64encode(pw).decode('utf-8')) ``` When doing the same, Samba returns: 00002035: setup_io: it's not allowed to set the NT hash password directly' Code: 0x35 This happens both when 1) passing `unicodePwd` during entry creation, and 2) when modifying it for an existing entry (like `samba-tool` does). This is the (Wireshark-interpreted) `ModifyRequest`: ``` Lightweight Directory Access Protocol LDAPMessage modifyRequest(3) "CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl" messageID: 3 protocolOp: modifyRequest (6) modifyRequest object: CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl modification: 1 item modification item operation: replace (2) modification unicodePwd type: unicodePwd vals: 1 item AttributeValue: IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA``` (The Base64-encoded password was randomly generated.) The use of the word 'directly' in "Not allowed to [...] directly" could be interpreted as: changing `unicodePwd` non-locally is disallowed (although Samba can't detect that), and that is indeed not the case: LDAP Account Manager (https://ldap-account-manager.org/lamcms/) uses the same approach of modifying `unicodePwd`, which works on the same DC. Looking this error up, it seems like it can be caused by simply passing an incorrectly formatted password: - https://lists.samba.org/archive/samba/2015-December/196890.html - https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1 ... but as I'm using the code from `samba-tool`, I don't consider that to be likely. Finally, I tried passing a plaintext string, hoping Samba would do the transformation to binary + Base64 itself (although neither `samba-tool` nor LAM do so). As expected, that changes nothing. What am I doing wrong or misunderstanding here? William David Edwards
Rowland Penny
2024-Oct-27 13:49 UTC
[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
On Sun, 27 Oct 2024 13:58:56 +0100 William David Edwards via samba <samba at lists.samba.org> wrote:> Hi, > > I'm tying to set user's LDAP passwords using LDAP. > > `samba-tool user setpassword` does so by setting the write-only > `unicodePwd` attribute, but turning it into binary and > Base64-encoding it first: > > ``` > if not isinstance(password, str): > pw = password.decode('utf-8') > else: > pw = password > pw = ('"' + pw + '"').encode('utf-16-le') > > setpw = """ > dn: %s > changetype: modify > replace: unicodePwd > unicodePwd:: %s > """ % (user_dn, base64.b64encode(pw).decode('utf-8')) > ``` > > When doing the same, Samba returns: > > 00002035: setup_io: it's not allowed to set the NT hash password > directly' Code: 0x35 > > This happens both when 1) passing `unicodePwd` during entry creation, > and 2) when modifying it for an existing entry (like `samba-tool` > does). > > This is the (Wireshark-interpreted) `ModifyRequest`: > > ``` > Lightweight Directory Access Protocol > LDAPMessage modifyRequest(3) > "CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl" > messageID: 3 > protocolOp: modifyRequest (6) > modifyRequest > object: > CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl > modification: 1 item > modification item > operation: replace (2) > modification unicodePwd > type: unicodePwd > vals: 1 item > AttributeValue: > IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA> ``` > > (The Base64-encoded password was randomly generated.) > > The use of the word 'directly' in "Not allowed to [...] directly" > could be interpreted as: changing `unicodePwd` non-locally is > disallowed (although Samba can't detect that), and that is indeed not > the case: LDAP Account Manager > (https://ldap-account-manager.org/lamcms/) uses the same approach of > modifying `unicodePwd`, which works on the same DC. > > Looking this error up, it seems like it can be caused by simply > passing an incorrectly formatted password: > > - https://lists.samba.org/archive/samba/2015-December/196890.html > - > https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1 > > ... but as I'm using the code from `samba-tool`, I don't consider > that to be likely. > > Finally, I tried passing a plaintext string, hoping Samba would do > the transformation to binary + Base64 itself (although neither > `samba-tool` nor LAM do so). As expected, that changes nothing. > > What am I doing wrong or misunderstanding here?You are missing that to change an active directory password over ldap, you don't use ldap, you use ldaps. Rowland
Possibly Parallel Threads
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"