samba - Oct 2024 - How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"

On Sun, 27 Oct 2024 13:58:56 +0100
William David Edwards via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I'm tying to set user's LDAP passwords using LDAP.
> 
> `samba-tool user setpassword` does so by setting the write-only 
> `unicodePwd` attribute, but turning it into binary and
> Base64-encoding it first:
> 
> ```
> if not isinstance(password, str):
>      pw = password.decode('utf-8')
> else:
>      pw = password
> pw = ('"' + pw + '"').encode('utf-16-le')
> 
> setpw = """
> dn: %s
> changetype: modify
> replace: unicodePwd
> unicodePwd:: %s
> """ % (user_dn,
base64.b64encode(pw).decode('utf-8'))
> ```
> 
> When doing the same, Samba returns:
> 
>      00002035: setup_io: it's not allowed to set the NT hash password 
> directly' Code: 0x35
> 
> This happens both when 1) passing `unicodePwd` during entry creation, 
> and 2) when modifying it for an existing entry (like `samba-tool`
> does).
> 
> This is the (Wireshark-interpreted) `ModifyRequest`:
> 
> ```
> Lightweight Directory Access Protocol
>      LDAPMessage modifyRequest(3) 
> "CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl"
>          messageID: 3
>          protocolOp: modifyRequest (6)
>              modifyRequest
>                  object: 
> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl
>                  modification: 1 item
>                      modification item
>                          operation: replace (2)
>                          modification unicodePwd
>                              type: unicodePwd
>                              vals: 1 item
>                                  AttributeValue: 
>
IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>
```
> 
> (The Base64-encoded password was randomly generated.)
> 
> The use of the word 'directly' in "Not allowed to [...]
directly"
> could be interpreted as: changing `unicodePwd` non-locally is
> disallowed (although Samba can't detect that), and that is indeed not
> the case: LDAP Account Manager
> (https://ldap-account-manager.org/lamcms/) uses the same approach of
> modifying `unicodePwd`, which works on the same DC.
> 
> Looking this error up, it seems like it can be caused by simply
> passing an incorrectly formatted password:
> 
> - https://lists.samba.org/archive/samba/2015-December/196890.html
> - 
>
https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1
> 
> ... but as I'm using the code from `samba-tool`, I don't consider
> that to be likely.
> 
> Finally, I tried passing a plaintext string, hoping Samba would do
> the transformation to binary + Base64 itself (although neither
> `samba-tool` nor LAM do so). As expected, that changes nothing.
> 
> What am I doing wrong or misunderstanding here?
You are missing that to change an active directory password over ldap,
you don't use ldap, you use ldaps.

Rowland

> Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba <samba at
lists.samba.org> het volgende geschreven:
> 
> ?On Sun, 27 Oct 2024 13:58:56 +0100
> William David Edwards via samba <samba at lists.samba.org> wrote:
> 
>> Hi,
>> 
>> I'm tying to set user's LDAP passwords using LDAP.
>> 
>> `samba-tool user setpassword` does so by setting the write-only
>> `unicodePwd` attribute, but turning it into binary and
>> Base64-encoding it first:
>> 
>> ```
>> if not isinstance(password, str):
>>     pw = password.decode('utf-8')
>> else:
>>     pw = password
>> pw = ('"' + pw +
'"').encode('utf-16-le')
>> 
>> setpw = """
>> dn: %s
>> changetype: modify
>> replace: unicodePwd
>> unicodePwd:: %s
>> """ % (user_dn,
base64.b64encode(pw).decode('utf-8'))
>> ```
>> 
>> When doing the same, Samba returns:
>> 
>>     00002035: setup_io: it's not allowed to set the NT hash
password
>> directly' Code: 0x35
>> 
>> This happens both when 1) passing `unicodePwd` during entry creation,
>> and 2) when modifying it for an existing entry (like `samba-tool`
>> does).
>> 
>> This is the (Wireshark-interpreted) `ModifyRequest`:
>> 
>> ```
>> Lightweight Directory Access Protocol
>>     LDAPMessage modifyRequest(3)
>> "CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl"
>>         messageID: 3
>>         protocolOp: modifyRequest (6)
>>             modifyRequest
>>                 object:
>> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl
>>                 modification: 1 item
>>                     modification item
>>                         operation: replace (2)
>>                         modification unicodePwd
>>                             type: unicodePwd
>>                             vals: 1 item
>>                                 AttributeValue:
>>
IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>>
```
>> 
>> (The Base64-encoded password was randomly generated.)
>> 
>> The use of the word 'directly' in "Not allowed to [...]
directly"
>> could be interpreted as: changing `unicodePwd` non-locally is
>> disallowed (although Samba can't detect that), and that is indeed
not
>> the case: LDAP Account Manager
>> (https://ldap-account-manager.org/lamcms/) uses the same approach of
>> modifying `unicodePwd`, which works on the same DC.
>> 
>> Looking this error up, it seems like it can be caused by simply
>> passing an incorrectly formatted password:
>> 
>> - https://lists.samba.org/archive/samba/2015-December/196890.html
>> -
>>
https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1
>> 
>> ... but as I'm using the code from `samba-tool`, I don't
consider
>> that to be likely.
>> 
>> Finally, I tried passing a plaintext string, hoping Samba would do
>> the transformation to binary + Base64 itself (although neither
>> `samba-tool` nor LAM do so). As expected, that changes nothing.
>> 
>> What am I doing wrong or misunderstanding here?
> 
> You are missing that to change an active directory password over ldap,
> you don't use ldap, you use ldaps.
That?s not the issue, just tested LDAPS. I?m using LDAP for debugging purposes
(no need for a MITM to look at the payload).
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>