Op 22-10-2023 om 03:43 schreef Andrew Bartlett:> On Sat, 2023-10-21 at 11:41 +0200, Kees van Vloten via samba wrote:
>> Hi Team,
>>
>>
>> I am currently looking into enterprise wifi with the machine account. I
>> did find some clues on the internet but the peice that is missing is
the
>> password of the machine account.
>>
>> Is it possible foor user root to extract that password in clear text
>> from the secrets database where winbind has stored it?
>>
>> /var/lig/samba/private/secrets.tdb? seems to contain the info and
>> tdbdump can output it, but some more decoding is needed before it can
be
>> used in the NetworkManager configuration. What are the commands to get
>> that done?
> People used to do this with tools that read that DB, which is of course
> possible, but we have this script:
>
>
> ?./source4/scripting/bin/machineaccountpw
>
> Note that the password is very random these days.
>
> But please do be aware that MSCHAPv2 is still NTLMv1 under the hood.
> Better than plaintext if you have the certificate checking done
> properly, but if you can do real certificates, do that!
Thanks Andrew,
I run my own CA and verify all certificates, that part is taken care of :-)
This link to MIT's Eduroam? knowledgebase confirms your statement:
http://kb.mit.edu/confluence/pages/viewpage.action?pageId=152599592&focusedCommentId=154190347#comment-154190347
One more question: Would it be possible to trigger a script when winbind
changes the machine password?
That would help to update the wifi configuration on password change and
prevents lockout on the AD-side to to wrong password.
- Kees.
> Andrew