Andrew Bartlett
2017-Mar-29 19:18 UTC
[Samba] Provision new domain keeping users and passwords
On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote:> The users password is stored in an hidden attribute which is supposed > to be unreadable, but you can read it on a Samba DC, but it is > heavily > encoded. You may be able to obtain some of the users password with > pdbedit, but can you get them all ?To be clear, by design pdbedit can obtain all the unicodePwd values (the NT hash) for users in the domain. For clarity this is the same underlying value as the sambaNTPassword in traditional 'Samba3' domains using LDAP. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Rowland Penny
2017-Mar-29 19:42 UTC
[Samba] Provision new domain keeping users and passwords
On Thu, 30 Mar 2017 08:18:30 +1300 Andrew Bartlett <abartlet at samba.org> wrote:> On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote: > > The users password is stored in an hidden attribute which is > > supposed to be unreadable, but you can read it on a Samba DC, but > > it is heavily > > encoded. You may be able to obtain some of the users password with > > pdbedit, but can you get them all ? > > To be clear, by design pdbedit can obtain all the unicodePwd values > (the NT hash) for users in the domain. For clarity this is the same > underlying value as the sambaNTPassword in traditional 'Samba3' > domains using LDAP. > > Andrew Bartlett >Yes, but will all the AD users be in the pdbedit database ? Rowland
Jeanderson Soares
2017-Mar-29 21:18 UTC
[Samba] Provision new domain keeping users and passwords
2017-03-29 16:42 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:> On Thu, 30 Mar 2017 08:18:30 +1300 > Andrew Bartlett <abartlet at samba.org> wrote: > > > On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote: > > > The users password is stored in an hidden attribute which is > > > supposed to be unreadable, but you can read it on a Samba DC, but > > > it is heavily > > > encoded. You may be able to obtain some of the users password with > > > pdbedit, but can you get them all ? > > > > To be clear, by design pdbedit can obtain all the unicodePwd values > > (the NT hash) for users in the domain. For clarity this is the same > > underlying value as the sambaNTPassword in traditional 'Samba3' > > domains using LDAP. > > > > Andrew Bartlett > > > > Yes, but will all the AD users be in the pdbedit database ? > > # pdbedit -L | wc -l48064 # samba-tool user list | wc -l 48033 It's giving me more!> Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Andrew Bartlett
2017-Mar-29 22:13 UTC
[Samba] Provision new domain keeping users and passwords
On Wed, 2017-03-29 at 20:42 +0100, Rowland Penny wrote:> On Thu, 30 Mar 2017 08:18:30 +1300 > Andrew Bartlett <abartlet at samba.org> wrote: > > > On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote: > > > The users password is stored in an hidden attribute which is > > > supposed to be unreadable, but you can read it on a Samba DC, but > > > it is heavily > > > encoded. You may be able to obtain some of the users password > > > with > > > pdbedit, but can you get them all ? > > > > To be clear, by design pdbedit can obtain all the unicodePwd values > > (the NT hash) for users in the domain. For clarity this is the > > same > > underlying value as the sambaNTPassword in traditional 'Samba3' > > domains using LDAP. > > > > Andrew Bartlett > > > > Yes, but will all the AD users be in the pdbedit database ?Yes, pdbedit on an AD DC is a full view of the sam.ldb database. Andrew Bartlett