Edward Graham
2023-Jan-05 10:13 UTC
[Samba] Directly setting unicodePwd - better type of hash?
Hi, we sync our password from other system by directly setting unicodePwd in samba database file. We would like to drop the insecure hash stored in other system and replace it with something newer and more robust. Documentation on page https://samba.tranquil.it/doc/en/samba_fundamentals/about_password_hash.html#propagating-a-password-change-from-samba-ad-to-an-openldap says "It is now possible to have new types of hashes generated when a user changes their password, such as crypt-ssha256 or crypt-ssha512", but I haven't found much info for this. Is it possible set different kind of hash in samba's database? What would that look like? Something like '{SSHA512}XXXXXXX/XXX' (simillar to ldap)? Thanks
Zombie Ryushu
2023-Jan-05 10:20 UTC
[Samba] Does anyone know how to completely remove the Computer SID of a Demoted DC?
Does anyone know how to completely remove the Computer SID of a Demoted DC? As in, another DC has taken it's place, the system is down and offline, but if it rejoins, it will not get the SID entry it had before?
Rowland Penny
2023-Jan-05 11:15 UTC
[Samba] Directly setting unicodePwd - better type of hash?
On 05/01/2023 10:13, Edward Graham via samba wrote:> Hi, > > we sync our password from other system by directly setting unicodePwd in samba database file. We would like to drop the insecure hash stored in other system and replace it with something newer and more robust. > > Documentation on page https://samba.tranquil.it/doc/en/samba_fundamentals/about_password_hash.html#propagating-a-password-change-from-samba-ad-to-an-openldap says "It is now possible to have new types of hashes generated when a user changes their password, such as crypt-ssha256 or crypt-ssha512", but I haven't found much info for this. > > Is it possible set different kind of hash in samba's database? What would that look like? Something like '{SSHA512}XXXXXXX/XXX' (simillar to ldap)? > > Thanks >Sorry, but you are supposed to sync from AD to other systems, I do not think it will work the other way around. Tranqui-it provides a script to sync passwords, have a search on their site. Rowland
Andrew Bartlett
2023-Jan-25 19:24 UTC
[Samba] Directly setting unicodePwd - better type of hash?
On Thu, 2023-01-05 at 10:13 +0000, Edward Graham via samba wrote:> Hi, > > we sync our password from other system by directly setting unicodePwd > in samba database file. We would like to drop the insecure hash > stored in other system and replace it with something newer and more > robust. > > Documentation on page > https://samba.tranquil.it/doc/en/samba_fundamentals/about_password_hash.html#propagating-a-password-change-from-samba-ad-to-an-openldap > says "It is now possible to have new types of hashes generated when > a user changes their password, such as crypt-ssha256 or crypt- > ssha512", but I haven't found much info for this. > > Is it possible set different kind of hash in samba's database? What > would that look like? Something like '{SSHA512}XXXXXXX/XXX' (simillar > to ldap)? > > ThanksCurrently we can't directly set only the crypt() based passwords. The authentication maths would only work for LDAP Simple binds if we did. I do think that would be a useful feature, Samba is not only to support Windows Kerberos clients, some may wish to use it simply as a easy-to- set-up LDAP target for example, given all our useful tools around password policy and quality etc. It certainly would be a really useful migration tool, from (say) OpenLDAP (and on first LDAP bind we could fill in the other hashes). What we have finally got as a feature is the ability to not store the NT hash, which is very weak, for user accounts. Naturally this breaks NTLM authentication, but for some use cases this is quite fine. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst.Net Limited Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source Solutions
Reasonably Related Threads
- Does anyone know how to completely remove the Computer SID of a Demoted DC?
- Does anyone know how to completely remove the Computer SID of a Demoted DC?
- Does anyone know how to completely remove the Computer SID of a Demoted DC?
- Does anyone know how to completely remove the Computer SID of a Demoted DC?
- Demoted dc not completely demoted, maybe?