samba - Jun 2015 - Samba4 as AD, what password hash is used?

Hi all,

I was wondering what kind of password encryption is used into LDB file to
store user's password.

Our users are authenticating against some OpenLDAP tree to access their
applications. We would like to add some field on this OpenLDAP to generate
Samba4 valid password when users are connecting against it, to be able then
to copy this field into our Samba4 users for they have same password for
applications and AD.

Kindly regards,

mathias

On 17/06/15 14:39, mathias dufresne wrote:
> Hi all,
>
> I was wondering what kind of password encryption is used into LDB file to
> store user's password.
>
> Our users are authenticating against some OpenLDAP tree to access their
> applications. We would like to add some field on this OpenLDAP to generate
> Samba4 valid password when users are connecting against it, to be able then
> to copy this field into our Samba4 users for they have same password for
> applications and AD.
>
> Kindly regards,
>
> mathias
it is in unicode, to create a windows password with bash, you need to do 
something like this:

echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64
-w 0

The password is supposed to be read only, you cannot read it over the 
wire and must be set via SSL.

Have you considered kerberos instead, i.e. SSO

Rowland

Hi,

Thank you for this answer, unfortunately I was not able to re-hash password
as they are hashed into LDB database.

First I retrieved the hash:
ldbsearch -H $sam '(cn=some user)' unicodePwd
# record 1
dn: CN=some user,OU=Users Management,DC=ad,DC=example,DC=com
unicodePwd:: COwwLgiqqaHRyhy4HxWp4A=
This "unicodePwd" attribute comes from a quick search into
"user" class:
 ldbsearch -H $sam -b
'CN=SCHEMA,CN=CONFIGURATION,DC=AD,DC=EXAMPLE,DC=COM'
'(&(objectClass=classSchema)(cn=user))' | egrep -i
'pass|pwd'
systemMayContain: msDS-UserPasswordExpiryTimeComputed
systemMayContain: unicodePwd
systemMayContain: pwdLastSet
systemMayContain: ntPwdHistory
systemMayContain: lmPwdHistory
systemMayContain: dBCSPwd
systemMayContain: badPwdCount
systemMayContain: badPasswordTime

Now the password is "Sg4QWTYspPucd" and its hash is
"COwwLgiqqaHRyhy4HxWp4A==". The hash seems to be base64 encoded
because of
the double ":" trailing attribute name but I was not able decode it to
obtain the password in clear version. This does not really matter in fact,
What I'm looking for is a way to encrypt, not to decrypt.

But I was not able to find the way to encrypt this password to obtain
corresponding hash:
echo -n "\"Sg4QWTYspPucd\"" | iconv -f UTF-8 -t UTF-16LE |
base64 -w 0
IgBTAGcANABRAFcAVABZAHMAcABQAHUAYwBkACIA
rather than expected "COwwLgiqqaHRyhy4HxWp4A==".

So I'm missing something to encrypt correctly these passwords...

Best regards,

mathias




2015-06-17 15:53 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 17/06/15 14:39, mathias dufresne wrote:
>
>> Hi all,
>>
>> I was wondering what kind of password encryption is used into LDB file
to
>> store user's password.
>>
>> Our users are authenticating against some OpenLDAP tree to access their
>> applications. We would like to add some field on this OpenLDAP to
generate
>> Samba4 valid password when users are connecting against it, to be able
>> then
>> to copy this field into our Samba4 users for they have same password
for
>> applications and AD.
>>
>> Kindly regards,
>>
>> mathias
>>
>
> it is in unicode, to create a windows password with bash, you need to do
> something like this:
>
> echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE |
base64 -w 0
>
> The password is supposed to be read only, you cannot read it over the wire
> and must be set via SSL.
>
> Have you considered kerberos instead, i.e. SSO
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>