> -----Original Message----- > From: Andrew Bartlett [mailto:abartlet at samba.org] > Sent: Saturday, August 26, 2017 12:38 PM > To: James Zuelow; samba at lists.samba.org > Subject: Re: [Samba] retrieve machine password in current Samba?-- >8 -- snip -- 8< --> > The recent secrets changes to store the krb5 hashes changed some things to > use a IDL defined NDR packed structure. I've not checked the details, but that > might be what you are seeing. > > This is a very valid use case, we clearly do need a net sub-command to just > print it. > > Andrew BartlettAndrew, Would there be a way for me to translate that back somehow? I'm thinking that even if a new net command came out, I would be waiting for Debian to release Buster before I saw it show up on my stable machines. Thanks!
On Thu, 2017-09-07 at 22:02 +0000, James Zuelow via samba wrote:> > -----Original Message----- > > From: Andrew Bartlett [mailto:abartlet at samba.org] > > Sent: Saturday, August 26, 2017 12:38 PM > > To: James Zuelow; samba at lists.samba.org > > Subject: Re: [Samba] retrieve machine password in current Samba? > > -- >8 -- snip -- 8< -- > > > > The recent secrets changes to store the krb5 hashes changed some > > things to > > use a IDL defined NDR packed structure. I've not checked the > > details, but that > > might be what you are seeing. > > > > This is a very valid use case, we clearly do need a net sub-command > > to just > > print it. > > > > Andrew Bartlett > > Andrew, > > Would there be a way for me to translate that back somehow? I'm > thinking that even if a new net command came out, I would be waiting > for Debian to release Buster before I saw it show up on my stable > machines.I've looked into this, and I don't think we have changed the format, it is just that we stopped keeping to ascii and small lengths for the passwords. That flood of binary stuff is really the password! So, the tdbdump output is still correct, but do you have to un-escape it. Otherwise, the attached script will print it on stdout, if you like it and it works for you I can drop it in source4/scripting/bin for posterity. Sorry for the confusion! Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
> -----Original Message----- > From: Andrew Bartlett [mailto:abartlet at samba.org] > Sent: Thursday, September 7, 2017 3:41 PM > To: James Zuelow; samba at lists.samba.org > Subject: Re: [Samba] retrieve machine password in current Samba?-- >8 -- snip -- 8< --> I've looked into this, and I don't think we have changed the format, it is just that > we stopped keeping to ascii and small lengths for the passwords. That flood of > binary stuff is really the password! > > So, the tdbdump output is still correct, but do you have to un-escape it. > > Otherwise, the attached script will print it on stdout, if you like it and it works > for you I can drop it in source4/scripting/bin for posterity. > > Sorry for the confusion! > > Andrew BartlettThe confusion was on my part - when I tried to look at the string after unescaping it I was getting a jumble of Unicode characters and not the ascii string I was used to. I spent a lot of effort trying to get that back into the form that I saw in the past, not realizing I didn't have to. But using your script and plugging that into wicd's wireless password works very well. Essentially it boils down to: Editing wicd's wireless-settings.conf: identity = host/HOSTNAME.local.domain beforescript = /usr/local/sbin/machine-passwd.sh And then machine-passwd.sh is similar to: password=`/usr/local/sbin/machineaccountpw` wicd-cli -y -n (network-id) --network-property password -s "${password}" (I have a little logic in there to grab the network ID since it changes from time to time.) Then when wicd connects, it presents the username of the machine account and the current machine password, whatever that may be. I could probably work with your script to insert the password into wireless-settings.conf directly, but I’m too lazy to do that now that this is working. Thank you very much! James
08.09.2017 3:41, Andrew Bartlett via samba пишет:> Otherwise, the attached script will print it on stdout, if you like it > and it works for you I can drop it in source4/scripting/bin for > posterity.May I ask about machine passwords also? (I can't see any attached scripts in your email, by the way. You send it off-the-list?) Someday in the past I accidentally delete some machine accounts from AD (using ADUC). When I googled about what can I restore it, i found the long story about "tombstone" and not/support it in samba, and many troubles with "deleted" attributes and so on. But it is another way to restore it - restore ldap object to "normal" state without "deleted" attribute by hand and set machine password by hand (it is lost after "delete" in ADUC). Where I can find and how to extract that machine password? Is there any sense to doing this? -- Administrator