William Edwards
2024-Oct-27 14:08 UTC
[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
> Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba <samba at lists.samba.org> het volgende geschreven: > > ?On Sun, 27 Oct 2024 13:58:56 +0100 > William David Edwards via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> I'm tying to set user's LDAP passwords using LDAP. >> >> `samba-tool user setpassword` does so by setting the write-only >> `unicodePwd` attribute, but turning it into binary and >> Base64-encoding it first: >> >> ``` >> if not isinstance(password, str): >> pw = password.decode('utf-8') >> else: >> pw = password >> pw = ('"' + pw + '"').encode('utf-16-le') >> >> setpw = """ >> dn: %s >> changetype: modify >> replace: unicodePwd >> unicodePwd:: %s >> """ % (user_dn, base64.b64encode(pw).decode('utf-8')) >> ``` >> >> When doing the same, Samba returns: >> >> 00002035: setup_io: it's not allowed to set the NT hash password >> directly' Code: 0x35 >> >> This happens both when 1) passing `unicodePwd` during entry creation, >> and 2) when modifying it for an existing entry (like `samba-tool` >> does). >> >> This is the (Wireshark-interpreted) `ModifyRequest`: >> >> ``` >> Lightweight Directory Access Protocol >> LDAPMessage modifyRequest(3) >> "CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl" >> messageID: 3 >> protocolOp: modifyRequest (6) >> modifyRequest >> object: >> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl >> modification: 1 item >> modification item >> operation: replace (2) >> modification unicodePwd >> type: unicodePwd >> vals: 1 item >> AttributeValue: >> IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>> ``` >> >> (The Base64-encoded password was randomly generated.) >> >> The use of the word 'directly' in "Not allowed to [...] directly" >> could be interpreted as: changing `unicodePwd` non-locally is >> disallowed (although Samba can't detect that), and that is indeed not >> the case: LDAP Account Manager >> (https://ldap-account-manager.org/lamcms/) uses the same approach of >> modifying `unicodePwd`, which works on the same DC. >> >> Looking this error up, it seems like it can be caused by simply >> passing an incorrectly formatted password: >> >> - https://lists.samba.org/archive/samba/2015-December/196890.html >> - >> https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1 >> >> ... but as I'm using the code from `samba-tool`, I don't consider >> that to be likely. >> >> Finally, I tried passing a plaintext string, hoping Samba would do >> the transformation to binary + Base64 itself (although neither >> `samba-tool` nor LAM do so). As expected, that changes nothing. >> >> What am I doing wrong or misunderstanding here? > > You are missing that to change an active directory password over ldap, > you don't use ldap, you use ldaps.That?s not the issue, just tested LDAPS. I?m using LDAP for debugging purposes (no need for a MITM to look at the payload).> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2024-Oct-27 14:31 UTC
[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
On Sun, 27 Oct 2024 15:08:14 +0100 William Edwards <wedwards at cyberfusion.nl> wrote:> > > Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba > > <samba at lists.samba.org> het volgende geschreven: > > > > ?On Sun, 27 Oct 2024 13:58:56 +0100 > > William David Edwards via samba <samba at lists.samba.org> wrote: > > > >> Hi, > >> > >> I'm tying to set user's LDAP passwords using LDAP. > >> > >> `samba-tool user setpassword` does so by setting the write-only > >> `unicodePwd` attribute, but turning it into binary and > >> Base64-encoding it first: > >> > >> ``` > >> if not isinstance(password, str): > >> pw = password.decode('utf-8') > >> else: > >> pw = password > >> pw = ('"' + pw + '"').encode('utf-16-le') > >> > >> setpw = """ > >> dn: %s > >> changetype: modify > >> replace: unicodePwd > >> unicodePwd:: %s > >> """ % (user_dn, base64.b64encode(pw).decode('utf-8')) > >> ``` > >> > >> When doing the same, Samba returns: > >> > >> 00002035: setup_io: it's not allowed to set the NT hash > >> password directly' Code: 0x35 > >> > >> This happens both when 1) passing `unicodePwd` during entry > >> creation, and 2) when modifying it for an existing entry (like > >> `samba-tool` does). > >> > >> This is the (Wireshark-interpreted) `ModifyRequest`: > >> > >> ``` > >> Lightweight Directory Access Protocol > >> LDAPMessage modifyRequest(3) > >> "CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl" > >> messageID: 3 > >> protocolOp: modifyRequest (6) > >> modifyRequest > >> object: > >> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl > >> modification: 1 item > >> modification item > >> operation: replace (2) > >> modification unicodePwd > >> type: unicodePwd > >> vals: 1 item > >> AttributeValue: > >> IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA> >> ``` > >> > >> (The Base64-encoded password was randomly generated.) > >> > >> The use of the word 'directly' in "Not allowed to [...] directly" > >> could be interpreted as: changing `unicodePwd` non-locally is > >> disallowed (although Samba can't detect that), and that is indeed > >> not the case: LDAP Account Manager > >> (https://ldap-account-manager.org/lamcms/) uses the same approach > >> of modifying `unicodePwd`, which works on the same DC. > >> > >> Looking this error up, it seems like it can be caused by simply > >> passing an incorrectly formatted password: > >> > >> - https://lists.samba.org/archive/samba/2015-December/196890.html > >> - > >> https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1 > >> > >> ... but as I'm using the code from `samba-tool`, I don't consider > >> that to be likely. > >> > >> Finally, I tried passing a plaintext string, hoping Samba would do > >> the transformation to binary + Base64 itself (although neither > >> `samba-tool` nor LAM do so). As expected, that changes nothing. > >> > >> What am I doing wrong or misunderstanding here? > > > > You are missing that to change an active directory password over > > ldap, you don't use ldap, you use ldaps. > > That?s not the issue, just tested LDAPS. I?m using LDAP for debugging > purposes (no need for a MITM to look at the payload). >Try reading this: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password Rowland
Seemingly Similar Threads
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"