Hello: I have implemented an Ad samba4 and for process issues I need the user password changes to be done from an external system. Currently the password changes are made from that system by connecting to the ldaps port, but our idea is that the operations are centralized in an api rest and we are trying to make a method that receives the hash from the external system and apply it in samba4 (for audit issues we do not want to receive the flat password with any reversible method that involves the administration in some instance of our part of the flat password). I have been testing to generate the hash and insert it through "ldbmodify" with bash: user=123456789 user_pass="password" UNICODEPWD=$(echo -n "\"$user_pass\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0) ldbmodify -H /.../sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF dn: CN=$user,OU=user,DC=company,DC=com changetype: modify delete: unicodePwd - add: unicodePwd unicodePwd:: $UNICODEPWD EOF My question is if the script is correct, because even if I apply the new password, when I want to test with kinit it doesn't give ok. I was reading a thread on the list but I was not clear if the method is correct or just suggestions to try. I was also trying to identify in the samba-tool source code how it performs the password change (setpassword) but I did not find the code it uses. Regards Marcos Negrini
Hello: I found another script that does it using ldapmodify, I could check it with kinit and it gives ok... user=123456789 password=password password='"'$password'"' u16pass=`printf $password|iconv -f ascii -t UTF16LE|base64` echo "dn: CN=$user,OU=user,DC=company,DC=com" >ldap.ldif echo "changetype: modify" >>ldap.ldif echo "replace: unicodePwd" >>ldap.ldif echo "unicodePwd:: $u16pass" >>ldap.ldif ldapmodify -v -c -a -f ldap.ldif -H ldaps://server.company.com -D administrator at samba.company.com -W rm ldap.ldif for now the tests they gave give me ok.. so I understand that the way to change password applies well in samba4. I am seeing how the authentication of the ldapmodify command works with certificate, if someone has an example it would be appreciated. Regards Marcos Negrini El 30/11/22 a las 10:47, Marcos Ariel Negrini via samba escribi?:> Hello: > I have implemented an Ad samba4 and for process issues I need the user > password changes to be done from an external system. Currently the > password changes are made from that system by connecting to the ldaps > port, but our idea is that the operations are centralized in an api > rest and we are trying to make a method that receives the hash from > the external system and apply it in samba4 (for audit issues we do not > want to receive the flat password with any reversible method that > involves the administration in some instance of our part of the flat > password). > > I have been testing to generate the hash and insert it through > "ldbmodify" with bash: > > > user=123456789 > > user_pass="password" > > UNICODEPWD=$(echo -n "\"$user_pass\"" | iconv -f UTF-8 -t UTF-16LE | > base64 -w 0) > > ldbmodify -H /.../sam.ldb > --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF > dn: CN=$user,OU=user,DC=company,DC=com > changetype: modify > delete: unicodePwd > - > add: unicodePwd > unicodePwd:: $UNICODEPWD > EOF > > > My question is if the script is correct, because even if I apply the > new password, when I want to test with kinit it doesn't give ok. > I was reading a thread on the list but I was not clear if the method > is correct or just suggestions to try. > I was also trying to identify in the samba-tool source code how it > performs the password change (setpassword) but I did not find the code > it uses. > Regards > Marcos Negrini
On 30/11/2022 13:47, Marcos Ariel Negrini via samba wrote:> Hello: > I have implemented an Ad samba4 and for process issues I need the user > password changes to be done from an external system. Currently the > password changes are made from that system by connecting to the ldaps > port, but our idea is that the operations are centralized in an api rest > and we are trying to make a method that receives the hash from the > external system and apply it in samba4 (for audit issues we do not want > to receive the flat password with any reversible method that involves > the administration in some instance of our part of the flat password). > > I have been testing to generate the hash and insert it through > "ldbmodify" with bash:It sounds like you are taking the plain password and hashing that before converting it to a unicode password, if so, that isn't going to work, you are setting the 'hash' as the password and not the plain password.> > > user=123456789 > > user_pass="password" > > UNICODEPWD=$(echo -n "\"$user_pass\"" | iconv -f UTF-8 -t UTF-16LE | > base64 -w 0) > > ldbmodify -H /.../sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 > << EOF > dn: CN=$user,OU=user,DC=company,DC=com > changetype: modify > delete: unicodePwd > - > add: unicodePwd > unicodePwd:: $UNICODEPWD > EOF > > > My question is if the script is correct, because even if I apply the new > password, when I want to test with kinit it doesn't give ok. > I was reading a thread on the list but I was not clear if the method is > correct or just suggestions to try. > I was also trying to identify in the samba-tool source code how it > performs the password change (setpassword) but I did not find the code > it uses. > Regards > Marcos NegriniTry my version: #!/bin/bash _USER="$1" _USER_PW="$2" # CHANGE THESE. # Set path to sam.ldb ldbdb="/path/to/sam.ldb # ldap suffix SUFFIX="DC=samdom,DC=example,DC=com" # Find username : $_USER must exist in AD ! _ENTRY=$($LDBSEARCHBIN --url=$ldbdb -b "$SUFFIX" -s sub "(&(objectClass=user)(sAMAccountName=$_USER))" dn | grep "dn: ") if [ -z "$_ENTRY" ] then echo "User $_USER does not exist in AD" exit 1 fi # Create unicode password _UNICODEPW=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0) # Change users password in AD echo "$_ENTRY changetype: modify replace: unicodePwd unicodePwd::$_UNICODEPW -" | ldbmodify --url=$ldbdb --use-kerberos=required ret="$?" if [ $ret -ne 0 ] then echo "Error changing user $_USER's Password in AD" exit 1 fi echo "Successfully changed Password for $_USER in AD" exit 0 You will have to change a couple of lines before running the script, the path to sam.ldb and set the ldap suffix. You will also require a ticket for a Domain Admin and run the script as that Admin. You just run the script as: login as Domain Admin kinit changepass.sh fred H1sP4ssW0rd Rowland
On Wed, 2022-11-30 at 10:47 -0300, Marcos Ariel Negrini via samba wrote:> Hello: > I have implemented an Ad samba4 and for process issues I need the user > password changes to be done from an external system. Currently the > password changes are made from that system by connecting to the ldaps > port, but our idea is that the operations are centralized in an api rest > and we are trying to make a method that receives the hash from the > external system and apply it in samba4 (for audit issues we do not want > to receive the flat password with any reversible method that involves > the administration in some instance of our part of the flat password).The script you sent is almost correct, no need for the OID however as it send Samba the plaintext password. It is critical you send Samba the plaintext password, it is the trusted core of your authentiation system so you can trust it with it, and it means we can construct strong hashes with it. If you only send Samba the NT hash, then we can't offer strong authentication over Kerberos. If security is a major concern, then you actually really want to send us the plaintext, as we can in Samba 4.17 be configured not to store it at all, as it is easily reversed (this will disable NTLM).? Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Hello Andrew,>If security is a major concern, then you actually really want to send us the plaintext, as we can in Samba 4.17 be configured not to store it at all, as it is easily reversed (this will disable NTLM).I checked the release notes at https://www.samba.org/samba/history/samba-4.17.0.html and cannot find that or how to configure that. Can you please clarify? And does it also disable NTLM v2 (as even Microsoft does not support Kerberos in every place)? Thanks, Joachim