thr3ads.net - samba - [Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly" [Oct 2024]

If this information is useful, please help other people find it:
Share via:

William Edwards

2024-Oct-27 14:08 UTC

[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"

> Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba <samba at
lists.samba.org> het volgende geschreven:
> 
> ?On Sun, 27 Oct 2024 13:58:56 +0100
> William David Edwards via samba <samba at lists.samba.org> wrote:
> 
>> Hi,
>> 
>> I'm tying to set user's LDAP passwords using LDAP.
>> 
>> `samba-tool user setpassword` does so by setting the write-only
>> `unicodePwd` attribute, but turning it into binary and
>> Base64-encoding it first:
>> 
>> ```
>> if not isinstance(password, str):
>>     pw = password.decode('utf-8')
>> else:
>>     pw = password
>> pw = ('"' + pw +
'"').encode('utf-16-le')
>> 
>> setpw = """
>> dn: %s
>> changetype: modify
>> replace: unicodePwd
>> unicodePwd:: %s
>> """ % (user_dn,
base64.b64encode(pw).decode('utf-8'))
>> ```
>> 
>> When doing the same, Samba returns:
>> 
>>     00002035: setup_io: it's not allowed to set the NT hash
password
>> directly' Code: 0x35
>> 
>> This happens both when 1) passing `unicodePwd` during entry creation,
>> and 2) when modifying it for an existing entry (like `samba-tool`
>> does).
>> 
>> This is the (Wireshark-interpreted) `ModifyRequest`:
>> 
>> ```
>> Lightweight Directory Access Protocol
>>     LDAPMessage modifyRequest(3)
>> "CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl"
>>         messageID: 3
>>         protocolOp: modifyRequest (6)
>>             modifyRequest
>>                 object:
>> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl
>>                 modification: 1 item
>>                     modification item
>>                         operation: replace (2)
>>                         modification unicodePwd
>>                             type: unicodePwd
>>                             vals: 1 item
>>                                 AttributeValue:
>>
IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>>
```
>> 
>> (The Base64-encoded password was randomly generated.)
>> 
>> The use of the word 'directly' in "Not allowed to [...]
directly"
>> could be interpreted as: changing `unicodePwd` non-locally is
>> disallowed (although Samba can't detect that), and that is indeed
not
>> the case: LDAP Account Manager
>> (https://ldap-account-manager.org/lamcms/) uses the same approach of
>> modifying `unicodePwd`, which works on the same DC.
>> 
>> Looking this error up, it seems like it can be caused by simply
>> passing an incorrectly formatted password:
>> 
>> - https://lists.samba.org/archive/samba/2015-December/196890.html
>> -
>>
https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1
>> 
>> ... but as I'm using the code from `samba-tool`, I don't
consider
>> that to be likely.
>> 
>> Finally, I tried passing a plaintext string, hoping Samba would do
>> the transformation to binary + Base64 itself (although neither
>> `samba-tool` nor LAM do so). As expected, that changes nothing.
>> 
>> What am I doing wrong or misunderstanding here?
> 
> You are missing that to change an active directory password over ldap,
> you don't use ldap, you use ldaps.
That?s not the issue, just tested LDAPS. I?m using LDAP for debugging purposes
(no need for a MITM to look at the payload).
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Rowland Penny

2024-Oct-27 14:31 UTC

head link

[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"

On Sun, 27 Oct 2024 15:08:14 +0100
William Edwards <wedwards at cyberfusion.nl> wrote:
> 
> > Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba
> > <samba at lists.samba.org> het volgende geschreven:
> > 
> > ?On Sun, 27 Oct 2024 13:58:56 +0100
> > William David Edwards via samba <samba at lists.samba.org>
wrote:
> > 
> >> Hi,
> >> 
> >> I'm tying to set user's LDAP passwords using LDAP.
> >> 
> >> `samba-tool user setpassword` does so by setting the write-only
> >> `unicodePwd` attribute, but turning it into binary and
> >> Base64-encoding it first:
> >> 
> >> ```
> >> if not isinstance(password, str):
> >>     pw = password.decode('utf-8')
> >> else:
> >>     pw = password
> >> pw = ('"' + pw +
'"').encode('utf-16-le')
> >> 
> >> setpw = """
> >> dn: %s
> >> changetype: modify
> >> replace: unicodePwd
> >> unicodePwd:: %s
> >> """ % (user_dn,
base64.b64encode(pw).decode('utf-8'))
> >> ```
> >> 
> >> When doing the same, Samba returns:
> >> 
> >>     00002035: setup_io: it's not allowed to set the NT hash
> >> password directly' Code: 0x35
> >> 
> >> This happens both when 1) passing `unicodePwd` during entry
> >> creation, and 2) when modifying it for an existing entry (like
> >> `samba-tool` does).
> >> 
> >> This is the (Wireshark-interpreted) `ModifyRequest`:
> >> 
> >> ```
> >> Lightweight Directory Access Protocol
> >>     LDAPMessage modifyRequest(3)
> >>
"CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl"
> >>         messageID: 3
> >>         protocolOp: modifyRequest (6)
> >>             modifyRequest
> >>                 object:
> >> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl
> >>                 modification: 1 item
> >>                     modification item
> >>                         operation: replace (2)
> >>                         modification unicodePwd
> >>                             type: unicodePwd
> >>                             vals: 1 item
> >>                                 AttributeValue:
> >>
IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>
>> ```
> >> 
> >> (The Base64-encoded password was randomly generated.)
> >> 
> >> The use of the word 'directly' in "Not allowed to
[...] directly"
> >> could be interpreted as: changing `unicodePwd` non-locally is
> >> disallowed (although Samba can't detect that), and that is
indeed
> >> not the case: LDAP Account Manager
> >> (https://ldap-account-manager.org/lamcms/) uses the same approach
> >> of modifying `unicodePwd`, which works on the same DC.
> >> 
> >> Looking this error up, it seems like it can be caused by simply
> >> passing an incorrectly formatted password:
> >> 
> >> - https://lists.samba.org/archive/samba/2015-December/196890.html
> >> -
> >>
https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1
> >> 
> >> ... but as I'm using the code from `samba-tool`, I don't
consider
> >> that to be likely.
> >> 
> >> Finally, I tried passing a plaintext string, hoping Samba would do
> >> the transformation to binary + Base64 itself (although neither
> >> `samba-tool` nor LAM do so). As expected, that changes nothing.
> >> 
> >> What am I doing wrong or misunderstanding here?
> > 
> > You are missing that to change an active directory password over
> > ldap, you don't use ldap, you use ldaps.
> 
> That?s not the issue, just tested LDAPS. I?m using LDAP for debugging
> purposes (no need for a MITM to look at the payload). 
> 
Try reading this:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password

Rowland

Apparently Analagous Threads

Search for more maybe matching threads

samba - Oct 2024 - How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"

[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"

[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"

Apparently Analagous Threads