Hi, Thank you for this answer, unfortunately I was not able to re-hash password as they are hashed into LDB database. First I retrieved the hash: ldbsearch -H $sam '(cn=some user)' unicodePwd # record 1 dn: CN=some user,OU=Users Management,DC=ad,DC=example,DC=com unicodePwd:: COwwLgiqqaHRyhy4HxWp4A= This "unicodePwd" attribute comes from a quick search into "user" class: ldbsearch -H $sam -b 'CN=SCHEMA,CN=CONFIGURATION,DC=AD,DC=EXAMPLE,DC=COM' '(&(objectClass=classSchema)(cn=user))' | egrep -i 'pass|pwd' systemMayContain: msDS-UserPasswordExpiryTimeComputed systemMayContain: unicodePwd systemMayContain: pwdLastSet systemMayContain: ntPwdHistory systemMayContain: lmPwdHistory systemMayContain: dBCSPwd systemMayContain: badPwdCount systemMayContain: badPasswordTime Now the password is "Sg4QWTYspPucd" and its hash is "COwwLgiqqaHRyhy4HxWp4A==". The hash seems to be base64 encoded because of the double ":" trailing attribute name but I was not able decode it to obtain the password in clear version. This does not really matter in fact, What I'm looking for is a way to encrypt, not to decrypt. But I was not able to find the way to encrypt this password to obtain corresponding hash: echo -n "\"Sg4QWTYspPucd\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0 IgBTAGcANABRAFcAVABZAHMAcABQAHUAYwBkACIA rather than expected "COwwLgiqqaHRyhy4HxWp4A==". So I'm missing something to encrypt correctly these passwords... Best regards, mathias 2015-06-17 15:53 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 17/06/15 14:39, mathias dufresne wrote: > >> Hi all, >> >> I was wondering what kind of password encryption is used into LDB file to >> store user's password. >> >> Our users are authenticating against some OpenLDAP tree to access their >> applications. We would like to add some field on this OpenLDAP to generate >> Samba4 valid password when users are connecting against it, to be able >> then >> to copy this field into our Samba4 users for they have same password for >> applications and AD. >> >> Kindly regards, >> >> mathias >> > > it is in unicode, to create a windows password with bash, you need to do > something like this: > > echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0 > > The password is supposed to be read only, you cannot read it over the wire > and must be set via SSL. > > Have you considered kerberos instead, i.e. SSO > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 18/06/15 12:04, mathias dufresne wrote:> Hi, > > Thank you for this answer, unfortunately I was not able to re-hash password > as they are hashed into LDB database. > > First I retrieved the hash: > ldbsearch -H $sam '(cn=some user)' unicodePwd > # record 1 > dn: CN=some user,OU=Users Management,DC=ad,DC=example,DC=com > unicodePwd:: COwwLgiqqaHRyhy4HxWp4A=> > This "unicodePwd" attribute comes from a quick search into "user" class: > ldbsearch -H $sam -b 'CN=SCHEMA,CN=CONFIGURATION,DC=AD,DC=EXAMPLE,DC=COM' > '(&(objectClass=classSchema)(cn=user))' | egrep -i 'pass|pwd' > systemMayContain: msDS-UserPasswordExpiryTimeComputed > systemMayContain: unicodePwd > systemMayContain: pwdLastSet > systemMayContain: ntPwdHistory > systemMayContain: lmPwdHistory > systemMayContain: dBCSPwd > systemMayContain: badPwdCount > systemMayContain: badPasswordTime > > Now the password is "Sg4QWTYspPucd" and its hash is > "COwwLgiqqaHRyhy4HxWp4A==". The hash seems to be base64 encoded because of > the double ":" trailing attribute name but I was not able decode it to > obtain the password in clear version. This does not really matter in fact, > What I'm looking for is a way to encrypt, not to decrypt. > > But I was not able to find the way to encrypt this password to obtain > corresponding hash: > echo -n "\"Sg4QWTYspPucd\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0 > IgBTAGcANABRAFcAVABZAHMAcABQAHUAYwBkACIA > rather than expected "COwwLgiqqaHRyhy4HxWp4A==". > > So I'm missing something to encrypt correctly these passwords... > > Best regards, > > mathias > > > > > 2015-06-17 15:53 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>: > >> On 17/06/15 14:39, mathias dufresne wrote: >> >>> Hi all, >>> >>> I was wondering what kind of password encryption is used into LDB file to >>> store user's password. >>> >>> Our users are authenticating against some OpenLDAP tree to access their >>> applications. We would like to add some field on this OpenLDAP to generate >>> Samba4 valid password when users are connecting against it, to be able >>> then >>> to copy this field into our Samba4 users for they have same password for >>> applications and AD. >>> >>> Kindly regards, >>> >>> mathias >>> >> it is in unicode, to create a windows password with bash, you need to do >> something like this: >> >> echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0 >> >> The password is supposed to be read only, you cannot read it over the wire >> and must be set via SSL. >> >> Have you considered kerberos instead, i.e. SSO >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>Ah but what goes in is not necessarily what you think! I have a bash script to create a user, it has this line: UNICODEPWD=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0) The user is then created from a ldif and at the bottom of the ldif is this: $_DN changetype: modify replace: unicodePwd unicodePwd::$UNICODEPWD" The whole idea is that it is very difficult to decode the AD users password, on a windows DC you cannot obtain the users password, you seemingly can only obtain it on a samba4 DC by acting directly on the .ldb file. I suppose you could write a script to set the users password in AD via an ldif and then set the users password in openldap via another ldif, but before you go down this line, just what are you trying to authenticate this way and can you do it via kerberos. Rowland
Thank you Roland having took time to insist :) I stopped hanging on the fact the hashes were different and tried your tips. It worked fine: I was able to use ldbmodify to replace "unicodePwd" attribute's value using your command. Thank you again ;) Cheers, mathias 2015-06-18 13:23 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 18/06/15 12:04, mathias dufresne wrote: > >> Hi, >> >> Thank you for this answer, unfortunately I was not able to re-hash >> password >> as they are hashed into LDB database. >> >> First I retrieved the hash: >> ldbsearch -H $sam '(cn=some user)' unicodePwd >> # record 1 >> dn: CN=some user,OU=Users Management,DC=ad,DC=example,DC=com >> unicodePwd:: COwwLgiqqaHRyhy4HxWp4A=>> >> This "unicodePwd" attribute comes from a quick search into "user" class: >> ldbsearch -H $sam -b >> 'CN=SCHEMA,CN=CONFIGURATION,DC=AD,DC=EXAMPLE,DC=COM' >> '(&(objectClass=classSchema)(cn=user))' | egrep -i 'pass|pwd' >> systemMayContain: msDS-UserPasswordExpiryTimeComputed >> systemMayContain: unicodePwd >> systemMayContain: pwdLastSet >> systemMayContain: ntPwdHistory >> systemMayContain: lmPwdHistory >> systemMayContain: dBCSPwd >> systemMayContain: badPwdCount >> systemMayContain: badPasswordTime >> >> Now the password is "Sg4QWTYspPucd" and its hash is >> "COwwLgiqqaHRyhy4HxWp4A==". The hash seems to be base64 encoded because of >> the double ":" trailing attribute name but I was not able decode it to >> obtain the password in clear version. This does not really matter in fact, >> What I'm looking for is a way to encrypt, not to decrypt. >> >> But I was not able to find the way to encrypt this password to obtain >> corresponding hash: >> echo -n "\"Sg4QWTYspPucd\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0 >> IgBTAGcANABRAFcAVABZAHMAcABQAHUAYwBkACIA >> rather than expected "COwwLgiqqaHRyhy4HxWp4A==". >> >> So I'm missing something to encrypt correctly these passwords... >> >> Best regards, >> >> mathias >> >> >> >> >> 2015-06-17 15:53 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>: >> >> On 17/06/15 14:39, mathias dufresne wrote: >>> >>> Hi all, >>>> >>>> I was wondering what kind of password encryption is used into LDB file >>>> to >>>> store user's password. >>>> >>>> Our users are authenticating against some OpenLDAP tree to access their >>>> applications. We would like to add some field on this OpenLDAP to >>>> generate >>>> Samba4 valid password when users are connecting against it, to be able >>>> then >>>> to copy this field into our Samba4 users for they have same password for >>>> applications and AD. >>>> >>>> Kindly regards, >>>> >>>> mathias >>>> >>>> it is in unicode, to create a windows password with bash, you need to >>> do >>> something like this: >>> >>> echo -n "\"PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0 >>> >>> The password is supposed to be read only, you cannot read it over the >>> wire >>> and must be set via SSL. >>> >>> Have you considered kerberos instead, i.e. SSO >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > Ah but what goes in is not necessarily what you think! > I have a bash script to create a user, it has this line: > > UNICODEPWD=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE | > base64 -w 0) > > The user is then created from a ldif and at the bottom of the ldif is this: > > $_DN > changetype: modify > replace: unicodePwd > unicodePwd::$UNICODEPWD" > > The whole idea is that it is very difficult to decode the AD users > password, on a windows DC you cannot obtain the users password, you > seemingly can only obtain it on a samba4 DC by acting directly on the .ldb > file. > > I suppose you could write a script to set the users password in AD via an > ldif and then set the users password in openldap via another ldif, but > before you go down this line, just what are you trying to authenticate this > way and can you do it via kerberos. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >