Hello Andrew,
I'm finally diving into this project...
First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at
best.
Here we go anyway... I've looked at the 'upgrade.py' but I
can't seem to figure out how to connect to the Samba4 passwd database.
In the script I see these lines:
#######################################################
# Connect to samba4 backend
s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
########################################################
I would appreciate a hint on how to connect to the database please. Where is
the 'passdb' object referenced from?
Once that's done, from what I understand, I should be able to change the
passwords directly:
#######################################################
# Change foo-user password
admin_userdata = s4_passdb.getsampwnam("foo-user")
admin_userdata.nt_passwd = "878D8014606CDA29677A44EFA1353FC7"
admin_userdata.lanman_passwd = "552902031BEDE9EFAAD3B435B51404EE"
s4_passdb.update_sam_account(admin_userdata)
#######################################################
Is that right?
Cheers.
--
Luc Lalonde, analyste
---------------------------------------------------------------------
D?partement de g?nie informatique:
?cole polytechnique de Montr?al
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
---------------------------------------------------------------------
----- Original Message -----
From: "Andrew Bartlett" <abartlet at samba.org>
To: "Luc Lalonde" <Luc.Lalonde at polymtl.ca>
Cc: samba at lists.samba.org
Sent: Tuesday, December 11, 2012 10:22:21 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection
On Tue, 2012-12-11 at 21:48 -0500, Luc Lalonde wrote:> Hello Folks,
>
> In pour present Samba-3 setup we update user passwords in our LDAP backend.
We only have access to the encrypted NTLM passwords and use Perl scripts to do
this.
>
> Beyond importing the user database with the 'Classic upgrade'
method, will we be able to adapt our Perl scripts so that we can keep updating
the internal Samba-4 database with the encrypted passwords as we did with
Samba-3?
>
> We've been using Samba for many years now and very much appreciate all
the work done by the Samba team. Congrats on getting Samba-4 to stable status!
Yes, you can continue to do that. The best approach would be to set it
via the ldb python bindings, specifying the
DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control and unicodePwd, or via the
python or C passdb API.
One approach you could code from is how we set the administrator
password during the 'classicupgrade' script in
source4/scripting/python/samba/upgrade.py.
Give that a go, but if you need more clues I'm very happy to help out.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Andrew Bartlett
2013-Mar-27 22:18 UTC
[Samba] Samba 4 LDAP NTLM password nightly injection
On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote:> Hello Andrew, > > I'm finally diving into this project... > > First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. > > Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. > > In the script I see these lines: > > ####################################################### > # Connect to samba4 backend > s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend")) > ######################################################## > > I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? > > Once that's done, from what I understand, I should be able to change the passwords directly: > > ####################################################### > # Change foo-user password > admin_userdata = s4_passdb.getsampwnam("foo-user") > admin_userdata.nt_passwd = "878D8014606CDA29677A44EFA1353FC7" > admin_userdata.lanman_passwd = "552902031BEDE9EFAAD3B435B51404EE" > s4_passdb.update_sam_account(admin_userdata) > #######################################################Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org