On Tue, Oct 8, 2019, 07:45 Rowland penny via samba <samba at lists.samba.org> wrote:> On 08/10/2019 12:27, Elias Pereira via samba wrote: > > hello list, > > > > What kind of hashing/encryption samba4 ADDC uses for user passwords? > base64? >Base64 is neither a hash nor an encryption algorithm; it is an encoding.> > > Thanks! > > > Basically yes, but it is a bit more involved, to create an AD users > passwords in bash, you would have to do something like this: > > UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | > base64 -w 0) >Where is this scheme applied? Are you saying Samba stores plaintext passwords in the database? Jonathon>
On 08/10/2019 12:53, Jonathon Reinhart wrote:> > > On Tue, Oct 8, 2019, 07:45 Rowland penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > On 08/10/2019 12:27, Elias Pereira via samba wrote: > > hello list, > > > > What kind of hashing/encryption samba4 ADDC uses for user > passwords? base64? > > > Base64 is neither a hash nor an encryption algorithm; it is an encoding.That is why I said 'basically' ;-)> > > > > Thanks! > > > Basically yes, but it is a bit more involved, to create an AD users > passwords in bash, you would have to do something like this: > > UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | > base64 -w 0) > > > Where is this scheme applied?On my Hard drive ;-)> Are you saying Samba stores plaintext passwords in the database?No, that bit of bash turns a plain password into what you would store in the users 'unicodePwd' attribute. For instance, if $PASSWORD == password , you would get 'IgBwAGEAcwBzAHcAbwByAGQAIgA=' Rowland> > Jonathon
On Tue, Oct 8, 2019 at 8:04 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 08/10/2019 12:53, Jonathon Reinhart wrote: > > > > > > On Tue, Oct 8, 2019, 07:45 Rowland penny via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > > > On 08/10/2019 12:27, Elias Pereira via samba wrote: > > > hello list, > > > > > > What kind of hashing/encryption samba4 ADDC uses for user > > passwords? base64? > > > > > > Base64 is neither a hash nor an encryption algorithm; it is an encoding. > That is why I said 'basically' ;-) > > > > > > > > Thanks! > > > > > Basically yes, but it is a bit more involved, to create an AD users > > passwords in bash, you would have to do something like this: > > > > UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | > > base64 -w 0) > > > > > > Where is this scheme applied? > On my Hard drive ;-) > > Are you saying Samba stores plaintext passwords in the database? > > No, that bit of bash turns a plain password into what you would store in > the users 'unicodePwd' attribute. > > For instance, if $PASSWORD == password , you would get > 'IgBwAGEAcwBzAHcAbwByAGQAIgA=' > > RowlandI appreciate that this is how to pass the plaintext password for setting it, for storage by the Kerberos back end. If Samba is using Kerberos in normal fashion, *nothing* ever sees the plain text password again. A decent explanation lives at https://www.roguelynn.com/words/explain-like-im-5-kerberos/ , and there are many others.