samba - Oct 2023 - Retrieve winbind machine password

Op 22-10-2023 om 03:43 schreef Andrew Bartlett:
> On Sat, 2023-10-21 at 11:41 +0200, Kees van Vloten via samba wrote:
>> Hi Team,
>>
>>
>> I am currently looking into enterprise wifi with the machine account. I
>> did find some clues on the internet but the peice that is missing is
the
>> password of the machine account.
>>
>> Is it possible foor user root to extract that password in clear text
>> from the secrets database where winbind has stored it?
>>
>> /var/lig/samba/private/secrets.tdb? seems to contain the info and
>> tdbdump can output it, but some more decoding is needed before it can
be
>> used in the NetworkManager configuration. What are the commands to get
>> that done?
> People used to do this with tools that read that DB, which is of course
> possible, but we have this script:
>
>
>  ?./source4/scripting/bin/machineaccountpw
>
> Note that the password is very random these days.
>
> But please do be aware that MSCHAPv2 is still NTLMv1 under the hood.
> Better than plaintext if you have the certificate checking done
> properly, but if you can do real certificates, do that!
Thanks Andrew,

I run my own CA and verify all certificates, that part is taken care of :-)

This link to MIT's Eduroam? knowledgebase confirms your statement: 
http://kb.mit.edu/confluence/pages/viewpage.action?pageId=152599592&focusedCommentId=154190347#comment-154190347

One more question: Would it be possible to trigger a script when winbind 
changes the machine password?

That would help to update the wifi configuration on password change and 
prevents lockout on the AD-side to to wrong password.

- Kees.
> Andrew

On 10/22/23 13:36, Kees van Vloten via samba wrote:
>
> Op 22-10-2023 om 03:43 schreef Andrew Bartlett:
>> On Sat, 2023-10-21 at 11:41 +0200, Kees van Vloten via samba wrote:
>>> Hi Team,
>>>
>>>
>>> I am currently looking into enterprise wifi with the machine
account. I
>>> did find some clues on the internet but the peice that is missing
is
>>> the
>>> password of the machine account.
>>>
>>> Is it possible foor user root to extract that password in clear
text
>>> from the secrets database where winbind has stored it?
>>>
>>> /var/lig/samba/private/secrets.tdb? seems to contain the info and
>>> tdbdump can output it, but some more decoding is needed before it 
>>> can be
>>> used in the NetworkManager configuration. What are the commands to
get
>>> that done?
>> People used to do this with tools that read that DB, which is of course
>> possible, but we have this script:
>>
>>
>> ??./source4/scripting/bin/machineaccountpw
>>
>> Note that the password is very random these days.
>>
>> But please do be aware that MSCHAPv2 is still NTLMv1 under the hood.
>> Better than plaintext if you have the certificate checking done
>> properly, but if you can do real certificates, do that!
>
> Thanks Andrew,
>
> I run my own CA and verify all certificates, that part is taken care 
> of :-)
>
> This link to MIT's Eduroam? knowledgebase confirms your statement: 
>
http://kb.mit.edu/confluence/pages/viewpage.action?pageId=152599592&focusedCommentId=154190347#comment-154190347
>
>
> One more question: Would it be possible to trigger a script when 
> winbind changes the machine password?
>
Hi Kees,

I am working on a related topic - keytab update when machine account 
password is changed: 
https://gitlab.com/samba-team/samba/-/merge_requests/1999

I will try to add a 'script triggering' once the keytab update is done.


Pavel

>
> That would help to update the wifi configuration on password change 
> and prevents lockout on the AD-side to to wrong password.
>
> - Kees.
>
>> Andrew
>