Emil.s
2024-Dec-02 09:54 UTC
[Samba] Import of exported unicodePwd does not update Kerberos password
Hello, I'm troubleshooting an old backup script that exports and imports users from a Samba database using `samba-tool`. It's implemented so that passwords are exported using "samba-tool user getpassword {username} --attributes=unicodePwd". On the import side, an LDIF file is created in the following format: ``` dn: CN={username},OU=Users,DC=example,DC=com changetype: modify replace: unicodePwd unicodePwd:: {unicodePwd_string_here} ``` This file is then applied using `ldbmodify -H /var/lib/samba/private/sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0`. However, this no longer seems to work, at least not for Kerberos. I've found and tried the `--pw-nt-hash` option, but it doesn't make a difference. After applying the password, I can "login" using "smbclient -L //localhost -U {username}". But if I try to issue a Kerberos ticket using "kinit {username}" I get a "kinit: Password incorrect while getting initial credentials" error. However, if I generate a new password string and apply it without the `--controls`, or set a password using "samba-tool user setpassword", everything works as usual. Has anything changed here during the last few years? And what would be the correct way to restore a password that was previously exported using samba-tool? Or is there any new or prefered method to create a backup of a user including the password? Best regards Emil Sandnabba
Rowland Penny
2024-Dec-02 12:55 UTC
[Samba] Import of exported unicodePwd does not update Kerberos password
On Mon, 2 Dec 2024 10:54:38 +0100 "Emil.s via samba" <samba at lists.samba.org> wrote:> Hello, > > I'm troubleshooting an old backup script that exports and imports > users from a Samba database using `samba-tool`. > > It's implemented so that passwords are exported using "samba-tool user > getpassword {username} --attributes=unicodePwd". > On the import side, an LDIF file is created in the following format: > ``` > dn: CN={username},OU=Users,DC=example,DC=com > changetype: modify > replace: unicodePwd > unicodePwd:: {unicodePwd_string_here} > ``` > This file is then applied using `ldbmodify -H > /var/lib/samba/private/sam.ldb > --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0`. > > However, this no longer seems to work, at least not for Kerberos. I've > found and tried the `--pw-nt-hash` option, but it doesn't make a > difference. > > After applying the password, I can "login" using "smbclient -L > //localhost -U {username}". > But if I try to issue a Kerberos ticket using "kinit {username}" I > get a "kinit: Password incorrect while getting initial credentials" > error. > > However, if I generate a new password string and apply it without the > `--controls`, or set a password using "samba-tool user setpassword", > everything works as usual. > > Has anything changed here during the last few years?Yes, quite a lot. If you follow the way that Microsoft does things, you aren't really supposed to be able to read the contents of the unicodePwd attribute, it is supposed to be write-only. You can read the attribute on Samba, but what you get back isn't the password, is a 64bit hash of the password.> And what would > be the correct way to restore a password that was previously exported > using samba-tool?There isn't one, not unless you know the actual plain password and you can no longer obtain this. You can set a new password and force the user to change it at next logon.> Or is there any new or prefered method to create a backup of a user > including the password?Why would you backup a user ? You should only backup the domain and then only use such a backup in catastrophic cases, such as all your DCs failing at once. The correct backup is to run multiple DCs. Rowland
Reasonably Related Threads
- Import of exported unicodePwd does not update Kerberos password
- Import of exported unicodePwd does not update Kerberos password
- Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
- Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
- Encoding problem with the unicodePwd stored into sam.ldb