On Tue, Oct 8, 2019 at 8:04 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 08/10/2019 12:53, Jonathon Reinhart wrote: > > > > > > On Tue, Oct 8, 2019, 07:45 Rowland penny via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > > > On 08/10/2019 12:27, Elias Pereira via samba wrote: > > > hello list, > > > > > > What kind of hashing/encryption samba4 ADDC uses for user > > passwords? base64? > > > > > > Base64 is neither a hash nor an encryption algorithm; it is an encoding. > That is why I said 'basically' ;-) > > > > > > > > Thanks! > > > > > Basically yes, but it is a bit more involved, to create an AD users > > passwords in bash, you would have to do something like this: > > > > UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | > > base64 -w 0) > > > > > > Where is this scheme applied? > On my Hard drive ;-) > > Are you saying Samba stores plaintext passwords in the database? > > No, that bit of bash turns a plain password into what you would store in > the users 'unicodePwd' attribute. > > For instance, if $PASSWORD == password , you would get > 'IgBwAGEAcwBzAHcAbwByAGQAIgA=' > > RowlandI appreciate that this is how to pass the plaintext password for setting it, for storage by the Kerberos back end. If Samba is using Kerberos in normal fashion, *nothing* ever sees the plain text password again. A decent explanation lives at https://www.roguelynn.com/words/explain-like-im-5-kerberos/ , and there are many others.
On 09/10/2019 03:19, Nico Kadel-Garcia wrote:> On Tue, Oct 8, 2019 at 8:04 AM Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 08/10/2019 12:53, Jonathon Reinhart wrote: >>> >>> On Tue, Oct 8, 2019, 07:45 Rowland penny via samba >>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >>> >>> On 08/10/2019 12:27, Elias Pereira via samba wrote: >>> > hello list, >>> > >>> > What kind of hashing/encryption samba4 ADDC uses for user >>> passwords? base64? >>> >>> >>> Base64 is neither a hash nor an encryption algorithm; it is an encoding. >> That is why I said 'basically' ;-) >>> > >>> > Thanks! >>> > >>> Basically yes, but it is a bit more involved, to create an AD users >>> passwords in bash, you would have to do something like this: >>> >>> UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | >>> base64 -w 0) >>> >>> >>> Where is this scheme applied? >> On my Hard drive ;-) >>> Are you saying Samba stores plaintext passwords in the database? >> No, that bit of bash turns a plain password into what you would store in >> the users 'unicodePwd' attribute. >> >> For instance, if $PASSWORD == password , you would get >> 'IgBwAGEAcwBzAHcAbwByAGQAIgA=' >> >> Rowland > I appreciate that this is how to pass the plaintext password for > setting it, for storage by the Kerberos back end. If Samba is using > Kerberos in normal fashion, *nothing* ever sees the plain text > password again. A decent explanation lives at > https://www.roguelynn.com/words/explain-like-im-5-kerberos/ , and > there are many others.Sorry but you are wrong ;-) You can sync passwords with 'samba-tool user syncpasswords' You could run something like this on a Samba AD DC: ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(objectclass=user)(samaccountname=rowland))' unicodePwd This will get you a users password, you just need to run it through the reverse of what I posted earlier to see the actual users password. The OP asked what the password 'hash' was, I took this to mean 'how do I see a password', I suppose the question has to be 'why does he want to see the password' Rowland
> > I suppose the question has to be 'why does he want to > see the password'If this mention is about my doubt, I say that I do not want to see user passwords at all. My doubt originated from the fact that we have another user database in our institution that generates another password and I want to see if we can export users from this other base to our samba4 DC without having to change the password. Thanks! On Wed, Oct 9, 2019 at 4:11 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 09/10/2019 03:19, Nico Kadel-Garcia wrote: > > On Tue, Oct 8, 2019 at 8:04 AM Rowland penny via samba > > <samba at lists.samba.org> wrote: > >> On 08/10/2019 12:53, Jonathon Reinhart wrote: > >>> > >>> On Tue, Oct 8, 2019, 07:45 Rowland penny via samba > >>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > >>> > >>> On 08/10/2019 12:27, Elias Pereira via samba wrote: > >>> > hello list, > >>> > > >>> > What kind of hashing/encryption samba4 ADDC uses for user > >>> passwords? base64? > >>> > >>> > >>> Base64 is neither a hash nor an encryption algorithm; it is an > encoding. > >> That is why I said 'basically' ;-) > >>> > > >>> > Thanks! > >>> > > >>> Basically yes, but it is a bit more involved, to create an AD > users > >>> passwords in bash, you would have to do something like this: > >>> > >>> UNICODEPW=$(echo -n "\"$PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | > >>> base64 -w 0) > >>> > >>> > >>> Where is this scheme applied? > >> On my Hard drive ;-) > >>> Are you saying Samba stores plaintext passwords in the database? > >> No, that bit of bash turns a plain password into what you would store in > >> the users 'unicodePwd' attribute. > >> > >> For instance, if $PASSWORD == password , you would get > >> 'IgBwAGEAcwBzAHcAbwByAGQAIgA=' > >> > >> Rowland > > I appreciate that this is how to pass the plaintext password for > > setting it, for storage by the Kerberos back end. If Samba is using > > Kerberos in normal fashion, *nothing* ever sees the plain text > > password again. A decent explanation lives at > > https://www.roguelynn.com/words/explain-like-im-5-kerberos/ , and > > there are many others. > > Sorry but you are wrong ;-) > > You can sync passwords with 'samba-tool user syncpasswords' > > You could run something like this on a Samba AD DC: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'dc=samdom,dc=example,dc=com' -s sub > '(&(objectclass=user)(samaccountname=rowland))' unicodePwd > > This will get you a users password, you just need to run it through the > reverse of what I posted earlier to see the actual users password. > > The OP asked what the password 'hash' was, I took this to mean 'how do I > see a password', I suppose the question has to be 'why does he want to > see the password' > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
Hi Rowland, all, On 10/9/19 9:11 AM, Rowland penny via samba wrote:> You could run something like this on a Samba AD DC: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'dc=samdom,dc=example,dc=com' -s sub > '(&(objectclass=user)(samaccountname=rowland))' unicodePwd > > This will get you a users password, you just need to run it through the > reverse of what I posted earlier to see the actual users password.Out of curiosity I tried that, and wrote the following little bash script:> PASSWORD="zKY\.Jp4jdiJ\_" > UNICODEPW_GENERATED="$(echo -n "$PASSWORD" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0)" > PASSWORD_DECODED_FROM_UNICODEPW="$(echo -n $UNICODEPW_GENERATED | base64 -d -w 0 | iconv -t UTF-8 -f UTF-16LE)" > > echo "Password: $PASSWORD" > echo "Generated unicodePwd: $UNICODEPW_GENERATED" > echo "Decoded password: $PASSWORD_DECODED_FROM_UNICODEPW"This gives normal looking output:> Password: zKY\.Jp4jdiJ\_ > Generated unicodePwd: egBLAFkAXAAuAEoAcAA0AGoAZABpAEoAXABfAA=> Decoded password: zKY\.Jp4jdiJ\_HOWEVER: the AD unicodePwd field for this testuser with that password (set with samba-tool) is something different:> ~# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=testsamba,dc=company,dc=com' -s sub '(&(objectclass=user)(samaccountname=test))' unicodePwd > # record 1 > dn: CN=ted t. test,CN=Users,DC=testsamba,DC=company,DC=com > unicodePwd:: eD1jkPHBRopHzc00qaK6fw=so the actual unicodePwd field in AD is not what the script generated. I tried various users, and confirmed that the AD unicodePwd actually works by logging in as my test users. So... I am wondering what is wrong in my testing/logic..? Thanks for the interesting discussion! MJ