William David Edwards
2024-Oct-27 18:58 UTC
[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
Kees van Vloten via samba schreef op 2024-10-27 15:37:> Op 27-10-2024 om 15:31 schreef Rowland Penny via samba: >> On Sun, 27 Oct 2024 15:08:14 +0100 >> William Edwards <wedwards at cyberfusion.nl> wrote: >> >>>> Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba >>>> <samba at lists.samba.org> het volgende geschreven: >>>> >>>> ?On Sun, 27 Oct 2024 13:58:56 +0100 >>>> William David Edwards via samba <samba at lists.samba.org> wrote: >>>> >>>>> Hi, >>>>> >>>>> I'm tying to set user's LDAP passwords using LDAP. >>>>> >>>>> `samba-tool user setpassword` does so by setting the write-only >>>>> `unicodePwd` attribute, but turning it into binary and >>>>> Base64-encoding it first: >>>>> >>>>> ``` >>>>> if not isinstance(password, str): >>>>> pw = password.decode('utf-8') >>>>> else: >>>>> pw = password >>>>> pw = ('"' + pw + '"').encode('utf-16-le') >>>>> >>>>> setpw = """ >>>>> dn: %s >>>>> changetype: modify >>>>> replace: unicodePwd >>>>> unicodePwd:: %s >>>>> """ % (user_dn, base64.b64encode(pw).decode('utf-8')) >>>>> ``` >>>>> >>>>> When doing the same, Samba returns: >>>>> >>>>> 00002035: setup_io: it's not allowed to set the NT hash >>>>> password directly' Code: 0x35 >>>>> >>>>> This happens both when 1) passing `unicodePwd` during entry >>>>> creation, and 2) when modifying it for an existing entry (like >>>>> `samba-tool` does). >>>>> >>>>> This is the (Wireshark-interpreted) `ModifyRequest`: >>>>> >>>>> ``` >>>>> Lightweight Directory Access Protocol >>>>> LDAPMessage modifyRequest(3) >>>>> "CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl" >>>>> messageID: 3 >>>>> protocolOp: modifyRequest (6) >>>>> modifyRequest >>>>> object: >>>>> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl >>>>> modification: 1 item >>>>> modification item >>>>> operation: replace (2) >>>>> modification unicodePwd >>>>> type: unicodePwd >>>>> vals: 1 item >>>>> AttributeValue: >>>>> IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>>>>> ``` >>>>> >>>>> (The Base64-encoded password was randomly generated.) >>>>> >>>>> The use of the word 'directly' in "Not allowed to [...] directly" >>>>> could be interpreted as: changing `unicodePwd` non-locally is >>>>> disallowed (although Samba can't detect that), and that is indeed >>>>> not the case: LDAP Account Manager >>>>> (https://ldap-account-manager.org/lamcms/) uses the same approach >>>>> of modifying `unicodePwd`, which works on the same DC. >>>>> >>>>> Looking this error up, it seems like it can be caused by simply >>>>> passing an incorrectly formatted password: >>>>> >>>>> - https://lists.samba.org/archive/samba/2015-December/196890.html >>>>> - >>>>> https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1 >>>>> >>>>> ... but as I'm using the code from `samba-tool`, I don't consider >>>>> that to be likely. >>>>> >>>>> Finally, I tried passing a plaintext string, hoping Samba would do >>>>> the transformation to binary + Base64 itself (although neither >>>>> `samba-tool` nor LAM do so). As expected, that changes nothing. >>>>> >>>>> What am I doing wrong or misunderstanding here? >>>> You are missing that to change an active directory password over >>>> ldap, you don't use ldap, you use ldaps. >>> That?s not the issue, just tested LDAPS. I?m using LDAP for debugging >>> purposes (no need for a MITM to look at the payload). >>> > Did you enable password change via ldap? : > > samba-tool forest directory_service dsheuristics '000000001'According to https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, a dSHeuristic is required only for changing passwords over unencrypted LDAP (`fAllowPasswordOperationsOverNonSecureConnection`). As mentioned, modifying `unicodePwd` does not work over LDAPS either in my specific case, so a heuristic should not be needed. Also, changing passwords the same way *does* work from samba-tool and LAM.> > - Kees. > > >> Try reading this: >> >> https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password >> >> Rowland >>Met vriendelijke groeten, William David Edwards
Kees van Vloten
2024-Oct-27 19:26 UTC
[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
Op 27-10-2024 om 19:58 schreef William David Edwards:> Kees van Vloten via samba schreef op 2024-10-27 15:37: >> Op 27-10-2024 om 15:31 schreef Rowland Penny via samba: >>> On Sun, 27 Oct 2024 15:08:14 +0100 >>> William Edwards <wedwards at cyberfusion.nl> wrote: >>> >>>>> Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba >>>>> <samba at lists.samba.org> het volgende geschreven: >>>>> >>>>> ?On Sun, 27 Oct 2024 13:58:56 +0100 >>>>> William David Edwards via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I'm tying to set user's LDAP passwords using LDAP. >>>>>> >>>>>> `samba-tool user setpassword` does so by setting the write-only >>>>>> `unicodePwd` attribute, but turning it into binary and >>>>>> Base64-encoding it first: >>>>>> >>>>>> ``` >>>>>> if not isinstance(password, str): >>>>>> ???? pw = password.decode('utf-8') >>>>>> else: >>>>>> ???? pw = password >>>>>> pw = ('"' + pw + '"').encode('utf-16-le') >>>>>> >>>>>> setpw = """ >>>>>> dn: %s >>>>>> changetype: modify >>>>>> replace: unicodePwd >>>>>> unicodePwd:: %s >>>>>> """ % (user_dn, base64.b64encode(pw).decode('utf-8')) >>>>>> ``` >>>>>> >>>>>> When doing the same, Samba returns: >>>>>> >>>>>> ???? 00002035: setup_io: it's not allowed to set the NT hash >>>>>> password directly' Code: 0x35 >>>>>> >>>>>> This happens both when 1) passing `unicodePwd` during entry >>>>>> creation, and 2) when modifying it for an existing entry (like >>>>>> `samba-tool` does). >>>>>> >>>>>> This is the (Wireshark-interpreted) `ModifyRequest`: >>>>>> >>>>>> ``` >>>>>> Lightweight Directory Access Protocol >>>>>> ???? LDAPMessage modifyRequest(3) >>>>>> "CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl" >>>>>> ???????? messageID: 3 >>>>>> ???????? protocolOp: modifyRequest (6) >>>>>> ???????????? modifyRequest >>>>>> ???????????????? object: >>>>>> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl >>>>>> ???????????????? modification: 1 item >>>>>> ???????????????????? modification item >>>>>> ???????????????????????? operation: replace (2) >>>>>> ???????????????????????? modification unicodePwd >>>>>> ???????????????????????????? type: unicodePwd >>>>>> ???????????????????????????? vals: 1 item >>>>>> ???????????????????????????????? AttributeValue: >>>>>> IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA= >>>>>> >>>>>> ``` >>>>>> >>>>>> (The Base64-encoded password was randomly generated.) >>>>>> >>>>>> The use of the word 'directly' in "Not allowed to [...] directly" >>>>>> could be interpreted as: changing `unicodePwd` non-locally is >>>>>> disallowed (although Samba can't detect that), and that is indeed >>>>>> not the case: LDAP Account Manager >>>>>> (https://ldap-account-manager.org/lamcms/) uses the same approach >>>>>> of modifying `unicodePwd`, which works on the same DC. >>>>>> >>>>>> Looking this error up, it seems like it can be caused by simply >>>>>> passing an incorrectly formatted password: >>>>>> >>>>>> - https://lists.samba.org/archive/samba/2015-December/196890.html >>>>>> - >>>>>> https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1 >>>>>> >>>>>> >>>>>> ... but as I'm using the code from `samba-tool`, I don't consider >>>>>> that to be likely. >>>>>> >>>>>> Finally, I tried passing a plaintext string, hoping Samba would do >>>>>> the transformation to binary + Base64 itself (although neither >>>>>> `samba-tool` nor LAM do so). As expected, that changes nothing. >>>>>> >>>>>> What am I doing wrong or misunderstanding here? >>>>> You are missing that to change an active directory password over >>>>> ldap, you don't use ldap, you use ldaps. >>>> That?s not the issue, just tested LDAPS. I?m using LDAP for debugging >>>> purposes (no need for a MITM to look at the payload). >>>> >> Did you enable password change via ldap? : >> >> samba-tool forest directory_service dsheuristics '000000001' > > According to > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, > a dSHeuristic is required only for changing passwords over unencrypted > LDAP (`fAllowPasswordOperationsOverNonSecureConnection`). > > As mentioned, modifying `unicodePwd` does not work over LDAPS either > in my specific case, so a heuristic should not be needed. Also, > changing passwords the same way *does* work from samba-tool and LAM.One more detail is that the heuristic is about 'userPassword' and? not 'unicodePwd', which you are trying. Perhaps it is an idea to use 'userPassword' instead? - Kees.> >> >> - Kees. >> >> >>> Try reading this: >>> >>> https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password >>> >>> >>> Rowland >>> > > Met vriendelijke groeten, > > William David Edwards >
Kees van Vloten
2024-Oct-27 19:45 UTC
[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
Op 27-10-2024 om 19:58 schreef William David Edwards:> Kees van Vloten via samba schreef op 2024-10-27 15:37: >> Op 27-10-2024 om 15:31 schreef Rowland Penny via samba: >>> On Sun, 27 Oct 2024 15:08:14 +0100 >>> William Edwards <wedwards at cyberfusion.nl> wrote: >>> >>>>> Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba >>>>> <samba at lists.samba.org> het volgende geschreven: >>>>> >>>>> ?On Sun, 27 Oct 2024 13:58:56 +0100 >>>>> William David Edwards via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I'm tying to set user's LDAP passwords using LDAP. >>>>>> >>>>>> `samba-tool user setpassword` does so by setting the write-only >>>>>> `unicodePwd` attribute, but turning it into binary and >>>>>> Base64-encoding it first: >>>>>> >>>>>> ``` >>>>>> if not isinstance(password, str): >>>>>> ???? pw = password.decode('utf-8') >>>>>> else: >>>>>> ???? pw = password >>>>>> pw = ('"' + pw + '"').encode('utf-16-le') >>>>>> >>>>>> setpw = """ >>>>>> dn: %s >>>>>> changetype: modify >>>>>> replace: unicodePwd >>>>>> unicodePwd:: %s >>>>>> """ % (user_dn, base64.b64encode(pw).decode('utf-8')) >>>>>> ``` >>>>>> >>>>>> When doing the same, Samba returns: >>>>>> >>>>>> ???? 00002035: setup_io: it's not allowed to set the NT hash >>>>>> password directly' Code: 0x35 >>>>>> >>>>>> This happens both when 1) passing `unicodePwd` during entry >>>>>> creation, and 2) when modifying it for an existing entry (like >>>>>> `samba-tool` does). >>>>>> >>>>>> This is the (Wireshark-interpreted) `ModifyRequest`: >>>>>> >>>>>> ``` >>>>>> Lightweight Directory Access Protocol >>>>>> ???? LDAPMessage modifyRequest(3) >>>>>> "CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl" >>>>>> ???????? messageID: 3 >>>>>> ???????? protocolOp: modifyRequest (6) >>>>>> ???????????? modifyRequest >>>>>> ???????????????? object: >>>>>> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl >>>>>> ???????????????? modification: 1 item >>>>>> ???????????????????? modification item >>>>>> ???????????????????????? operation: replace (2) >>>>>> ???????????????????????? modification unicodePwd >>>>>> ???????????????????????????? type: unicodePwd >>>>>> ???????????????????????????? vals: 1 item >>>>>> ???????????????????????????????? AttributeValue: >>>>>> IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA= >>>>>> >>>>>> ``` >>>>>> >>>>>> (The Base64-encoded password was randomly generated.) >>>>>> >>>>>> The use of the word 'directly' in "Not allowed to [...] directly" >>>>>> could be interpreted as: changing `unicodePwd` non-locally is >>>>>> disallowed (although Samba can't detect that), and that is indeed >>>>>> not the case: LDAP Account Manager >>>>>> (https://ldap-account-manager.org/lamcms/) uses the same approach >>>>>> of modifying `unicodePwd`, which works on the same DC. >>>>>> >>>>>> Looking this error up, it seems like it can be caused by simply >>>>>> passing an incorrectly formatted password: >>>>>> >>>>>> - https://lists.samba.org/archive/samba/2015-December/196890.html >>>>>> - >>>>>> https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1 >>>>>> >>>>>> >>>>>> ... but as I'm using the code from `samba-tool`, I don't consider >>>>>> that to be likely. >>>>>> >>>>>> Finally, I tried passing a plaintext string, hoping Samba would do >>>>>> the transformation to binary + Base64 itself (although neither >>>>>> `samba-tool` nor LAM do so). As expected, that changes nothing. >>>>>> >>>>>> What am I doing wrong or misunderstanding here? >>>>> You are missing that to change an active directory password over >>>>> ldap, you don't use ldap, you use ldaps. >>>> That?s not the issue, just tested LDAPS. I?m using LDAP for debugging >>>> purposes (no need for a MITM to look at the payload). >>>> >> Did you enable password change via ldap? : >> >> samba-tool forest directory_service dsheuristics '000000001' > > According to > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, > a dSHeuristic is required only for changing passwords over unencrypted > LDAP (`fAllowPasswordOperationsOverNonSecureConnection`).Above link talks about AD DS vs. AD LDS (where the latter refers to ldap, unclear what the first is). At the same that ldap must be over ssl/tls, as is mentioned here:https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f3adda9f-89e1-4340-a3f2-1f0a6249f1f8?redirectedfrom=MSDN. This also states: The special encoding required for updating the unicodePwd attribute is not used with the userPassword attribute; that is, Vpassword = V. The same restrictions on SSL/TLS- or SASL-protected connections are enforced. The password values are sent to the server as UTF-8 strings, and surrounding quotation marks are not used. It looks like 'userPassword' is easier to use. It is the attribute that e.g. NextCloud and Self-Service-Password use for password changes. - Kees> > As mentioned, modifying `unicodePwd` does not work over LDAPS either > in my specific case, so a heuristic should not be needed. Also, > changing passwords the same way *does* work from samba-tool and LAM. > >> >> - Kees. >> >> >>> Try reading this: >>> >>> https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password >>> >>> >>> Rowland >>> > > Met vriendelijke groeten, > > William David Edwards >
Possibly Parallel Threads
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"