samba - Oct 2024 - How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"

Hi,

I'm tying to set user's LDAP passwords using LDAP.

`samba-tool user setpassword` does so by setting the write-only 
`unicodePwd` attribute, but turning it into binary and Base64-encoding 
it first:

```
if not isinstance(password, str):
     pw = password.decode('utf-8')
else:
     pw = password
pw = ('"' + pw + '"').encode('utf-16-le')

setpw = """
dn: %s
changetype: modify
replace: unicodePwd
unicodePwd:: %s
""" % (user_dn, base64.b64encode(pw).decode('utf-8'))
```

When doing the same, Samba returns:

     00002035: setup_io: it's not allowed to set the NT hash password 
directly' Code: 0x35

This happens both when 1) passing `unicodePwd` during entry creation, 
and 2) when modifying it for an existing entry (like `samba-tool` does).

This is the (Wireshark-interpreted) `ModifyRequest`:

```
Lightweight Directory Access Protocol
     LDAPMessage modifyRequest(3) 
"CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl"
         messageID: 3
         protocolOp: modifyRequest (6)
             modifyRequest
                 object: 
CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl
                 modification: 1 item
                     modification item
                         operation: replace (2)
                         modification unicodePwd
                             type: unicodePwd
                             vals: 1 item
                                 AttributeValue: 
IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA```

(The Base64-encoded password was randomly generated.)

The use of the word 'directly' in "Not allowed to [...]
directly" could
be interpreted as: changing `unicodePwd` non-locally is disallowed 
(although Samba can't detect that), and that is indeed not the case: 
LDAP Account Manager (https://ldap-account-manager.org/lamcms/) uses the 
same approach of modifying `unicodePwd`, which works on the same DC.

Looking this error up, it seems like it can be caused by simply passing 
an incorrectly formatted password:

- https://lists.samba.org/archive/samba/2015-December/196890.html
- 
https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1

... but as I'm using the code from `samba-tool`, I don't consider that 
to be likely.

Finally, I tried passing a plaintext string, hoping Samba would do the 
transformation to binary + Base64 itself (although neither `samba-tool` 
nor LAM do so). As expected, that changes nothing.

What am I doing wrong or misunderstanding here?

William David Edwards

On Sun, 27 Oct 2024 13:58:56 +0100
William David Edwards via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I'm tying to set user's LDAP passwords using LDAP.
> 
> `samba-tool user setpassword` does so by setting the write-only 
> `unicodePwd` attribute, but turning it into binary and
> Base64-encoding it first:
> 
> ```
> if not isinstance(password, str):
>      pw = password.decode('utf-8')
> else:
>      pw = password
> pw = ('"' + pw + '"').encode('utf-16-le')
> 
> setpw = """
> dn: %s
> changetype: modify
> replace: unicodePwd
> unicodePwd:: %s
> """ % (user_dn,
base64.b64encode(pw).decode('utf-8'))
> ```
> 
> When doing the same, Samba returns:
> 
>      00002035: setup_io: it's not allowed to set the NT hash password 
> directly' Code: 0x35
> 
> This happens both when 1) passing `unicodePwd` during entry creation, 
> and 2) when modifying it for an existing entry (like `samba-tool`
> does).
> 
> This is the (Wireshark-interpreted) `ModifyRequest`:
> 
> ```
> Lightweight Directory Access Protocol
>      LDAPMessage modifyRequest(3) 
> "CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl"
>          messageID: 3
>          protocolOp: modifyRequest (6)
>              modifyRequest
>                  object: 
> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl
>                  modification: 1 item
>                      modification item
>                          operation: replace (2)
>                          modification unicodePwd
>                              type: unicodePwd
>                              vals: 1 item
>                                  AttributeValue: 
>
IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>
```
> 
> (The Base64-encoded password was randomly generated.)
> 
> The use of the word 'directly' in "Not allowed to [...]
directly"
> could be interpreted as: changing `unicodePwd` non-locally is
> disallowed (although Samba can't detect that), and that is indeed not
> the case: LDAP Account Manager
> (https://ldap-account-manager.org/lamcms/) uses the same approach of
> modifying `unicodePwd`, which works on the same DC.
> 
> Looking this error up, it seems like it can be caused by simply
> passing an incorrectly formatted password:
> 
> - https://lists.samba.org/archive/samba/2015-December/196890.html
> - 
>
https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1
> 
> ... but as I'm using the code from `samba-tool`, I don't consider
> that to be likely.
> 
> Finally, I tried passing a plaintext string, hoping Samba would do
> the transformation to binary + Base64 itself (although neither
> `samba-tool` nor LAM do so). As expected, that changes nothing.
> 
> What am I doing wrong or misunderstanding here?
You are missing that to change an active directory password over ldap,
you don't use ldap, you use ldaps.

Rowland