samba - Oct 2023 - Retrieve winbind machine password

Hi Team,


I am currently looking into enterprise wifi with the machine account. I 
did find some clues on the internet but the peice that is missing is the 
password of the machine account.

Is it possible foor user root to extract that password in clear text 
from the secrets database where winbind has stored it?

/var/lig/samba/private/secrets.tdb? seems to contain the info and 
tdbdump can output it, but some more decoding is needed before it can be 
used in the NetworkManager configuration. What are the commands to get 
that done?


- Kees.

On Sat, 2023-10-21 at 11:41 +0200, Kees van Vloten via samba
wrote:
> Hi Team,
> 
> 
> I am currently looking into enterprise wifi with the machine account. I 
> did find some clues on the internet but the peice that is missing is the 
> password of the machine account.
> 
> Is it possible foor user root to extract that password in clear text 
> from the secrets database where winbind has stored it?
> 
> /var/lig/samba/private/secrets.tdb? seems to contain the info and 
> tdbdump can output it, but some more decoding is needed before it can be 
> used in the NetworkManager configuration. What are the commands to get 
> that done?
People used to do this with tools that read that DB, which is of course
possible, but we have this script:


?./source4/scripting/bin/machineaccountpw

Note that the password is very random these days.

But please do be aware that MSCHAPv2 is still NTLMv1 under the hood. 
Better than plaintext if you have the certificate checking done
properly, but if you can do real certificates, do that!

Andrew
-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba