samba - Oct 2024 - How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"

On Sun, 27 Oct 2024 15:08:14 +0100
William Edwards <wedwards at cyberfusion.nl> wrote:
> 
> > Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba
> > <samba at lists.samba.org> het volgende geschreven:
> > 
> > ?On Sun, 27 Oct 2024 13:58:56 +0100
> > William David Edwards via samba <samba at lists.samba.org>
wrote:
> > 
> >> Hi,
> >> 
> >> I'm tying to set user's LDAP passwords using LDAP.
> >> 
> >> `samba-tool user setpassword` does so by setting the write-only
> >> `unicodePwd` attribute, but turning it into binary and
> >> Base64-encoding it first:
> >> 
> >> ```
> >> if not isinstance(password, str):
> >>     pw = password.decode('utf-8')
> >> else:
> >>     pw = password
> >> pw = ('"' + pw +
'"').encode('utf-16-le')
> >> 
> >> setpw = """
> >> dn: %s
> >> changetype: modify
> >> replace: unicodePwd
> >> unicodePwd:: %s
> >> """ % (user_dn,
base64.b64encode(pw).decode('utf-8'))
> >> ```
> >> 
> >> When doing the same, Samba returns:
> >> 
> >>     00002035: setup_io: it's not allowed to set the NT hash
> >> password directly' Code: 0x35
> >> 
> >> This happens both when 1) passing `unicodePwd` during entry
> >> creation, and 2) when modifying it for an existing entry (like
> >> `samba-tool` does).
> >> 
> >> This is the (Wireshark-interpreted) `ModifyRequest`:
> >> 
> >> ```
> >> Lightweight Directory Access Protocol
> >>     LDAPMessage modifyRequest(3)
> >>
"CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl"
> >>         messageID: 3
> >>         protocolOp: modifyRequest (6)
> >>             modifyRequest
> >>                 object:
> >> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl
> >>                 modification: 1 item
> >>                     modification item
> >>                         operation: replace (2)
> >>                         modification unicodePwd
> >>                             type: unicodePwd
> >>                             vals: 1 item
> >>                                 AttributeValue:
> >>
IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>
>> ```
> >> 
> >> (The Base64-encoded password was randomly generated.)
> >> 
> >> The use of the word 'directly' in "Not allowed to
[...] directly"
> >> could be interpreted as: changing `unicodePwd` non-locally is
> >> disallowed (although Samba can't detect that), and that is
indeed
> >> not the case: LDAP Account Manager
> >> (https://ldap-account-manager.org/lamcms/) uses the same approach
> >> of modifying `unicodePwd`, which works on the same DC.
> >> 
> >> Looking this error up, it seems like it can be caused by simply
> >> passing an incorrectly formatted password:
> >> 
> >> - https://lists.samba.org/archive/samba/2015-December/196890.html
> >> -
> >>
https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1
> >> 
> >> ... but as I'm using the code from `samba-tool`, I don't
consider
> >> that to be likely.
> >> 
> >> Finally, I tried passing a plaintext string, hoping Samba would do
> >> the transformation to binary + Base64 itself (although neither
> >> `samba-tool` nor LAM do so). As expected, that changes nothing.
> >> 
> >> What am I doing wrong or misunderstanding here?
> > 
> > You are missing that to change an active directory password over
> > ldap, you don't use ldap, you use ldaps.
> 
> That?s not the issue, just tested LDAPS. I?m using LDAP for debugging
> purposes (no need for a MITM to look at the payload). 
> 
Try reading this:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password

Rowland

Op 27-10-2024 om 15:31 schreef Rowland Penny via samba:
> On Sun, 27 Oct 2024 15:08:14 +0100
> William Edwards <wedwards at cyberfusion.nl> wrote:
>
>>> Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba
>>> <samba at lists.samba.org> het volgende geschreven:
>>>
>>> ?On Sun, 27 Oct 2024 13:58:56 +0100
>>> William David Edwards via samba <samba at lists.samba.org>
wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm tying to set user's LDAP passwords using LDAP.
>>>>
>>>> `samba-tool user setpassword` does so by setting the write-only
>>>> `unicodePwd` attribute, but turning it into binary and
>>>> Base64-encoding it first:
>>>>
>>>> ```
>>>> if not isinstance(password, str):
>>>>      pw = password.decode('utf-8')
>>>> else:
>>>>      pw = password
>>>> pw = ('"' + pw +
'"').encode('utf-16-le')
>>>>
>>>> setpw = """
>>>> dn: %s
>>>> changetype: modify
>>>> replace: unicodePwd
>>>> unicodePwd:: %s
>>>> """ % (user_dn,
base64.b64encode(pw).decode('utf-8'))
>>>> ```
>>>>
>>>> When doing the same, Samba returns:
>>>>
>>>>      00002035: setup_io: it's not allowed to set the NT
hash
>>>> password directly' Code: 0x35
>>>>
>>>> This happens both when 1) passing `unicodePwd` during entry
>>>> creation, and 2) when modifying it for an existing entry (like
>>>> `samba-tool` does).
>>>>
>>>> This is the (Wireshark-interpreted) `ModifyRequest`:
>>>>
>>>> ```
>>>> Lightweight Directory Access Protocol
>>>>      LDAPMessage modifyRequest(3)
>>>>
"CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl"
>>>>          messageID: 3
>>>>          protocolOp: modifyRequest (6)
>>>>              modifyRequest
>>>>                  object:
>>>> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl
>>>>                  modification: 1 item
>>>>                      modification item
>>>>                          operation: replace (2)
>>>>                          modification unicodePwd
>>>>                              type: unicodePwd
>>>>                              vals: 1 item
>>>>                                  AttributeValue:
>>>>
IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>>>>
```
>>>>
>>>> (The Base64-encoded password was randomly generated.)
>>>>
>>>> The use of the word 'directly' in "Not allowed to
[...] directly"
>>>> could be interpreted as: changing `unicodePwd` non-locally is
>>>> disallowed (although Samba can't detect that), and that is
indeed
>>>> not the case: LDAP Account Manager
>>>> (https://ldap-account-manager.org/lamcms/) uses the same
approach
>>>> of modifying `unicodePwd`, which works on the same DC.
>>>>
>>>> Looking this error up, it seems like it can be caused by simply
>>>> passing an incorrectly formatted password:
>>>>
>>>> -
https://lists.samba.org/archive/samba/2015-December/196890.html
>>>> -
>>>>
https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1
>>>>
>>>> ... but as I'm using the code from `samba-tool`, I
don't consider
>>>> that to be likely.
>>>>
>>>> Finally, I tried passing a plaintext string, hoping Samba would
do
>>>> the transformation to binary + Base64 itself (although neither
>>>> `samba-tool` nor LAM do so). As expected, that changes nothing.
>>>>
>>>> What am I doing wrong or misunderstanding here?
>>> You are missing that to change an active directory password over
>>> ldap, you don't use ldap, you use ldaps.
>> That?s not the issue, just tested LDAPS. I?m using LDAP for debugging
>> purposes (no need for a MITM to look at the payload).
>>
Did you enable password change via ldap? :

samba-tool forest directory_service dsheuristics '000000001'

- Kees.

> Try reading this:
>
>
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password
>
> Rowland
>

Rowland Penny via samba schreef op 2024-10-27 15:31:
> On Sun, 27 Oct 2024 15:08:14 +0100
> William Edwards <wedwards at cyberfusion.nl> wrote:
> 
>> 
>> > Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba
>> > <samba at lists.samba.org> het volgende geschreven:
>> >
>> > ?On Sun, 27 Oct 2024 13:58:56 +0100
>> > William David Edwards via samba <samba at lists.samba.org>
wrote:
>> >
>> >> Hi,
>> >>
>> >> I'm tying to set user's LDAP passwords using LDAP.
>> >>
>> >> `samba-tool user setpassword` does so by setting the
write-only
>> >> `unicodePwd` attribute, but turning it into binary and
>> >> Base64-encoding it first:
>> >>
>> >> ```
>> >> if not isinstance(password, str):
>> >>     pw = password.decode('utf-8')
>> >> else:
>> >>     pw = password
>> >> pw = ('"' + pw +
'"').encode('utf-16-le')
>> >>
>> >> setpw = """
>> >> dn: %s
>> >> changetype: modify
>> >> replace: unicodePwd
>> >> unicodePwd:: %s
>> >> """ % (user_dn,
base64.b64encode(pw).decode('utf-8'))
>> >> ```
>> >>
>> >> When doing the same, Samba returns:
>> >>
>> >>     00002035: setup_io: it's not allowed to set the NT
hash
>> >> password directly' Code: 0x35
>> >>
>> >> This happens both when 1) passing `unicodePwd` during entry
>> >> creation, and 2) when modifying it for an existing entry (like
>> >> `samba-tool` does).
>> >>
>> >> This is the (Wireshark-interpreted) `ModifyRequest`:
>> >>
>> >> ```
>> >> Lightweight Directory Access Protocol
>> >>     LDAPMessage modifyRequest(3)
>> >>
"CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl"
>> >>         messageID: 3
>> >>         protocolOp: modifyRequest (6)
>> >>             modifyRequest
>> >>                 object:
>> >> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl
>> >>                 modification: 1 item
>> >>                     modification item
>> >>                         operation: replace (2)
>> >>                         modification unicodePwd
>> >>                             type: unicodePwd
>> >>                             vals: 1 item
>> >>                                 AttributeValue:
>> >>
IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>>
>> ```
>> >>
>> >> (The Base64-encoded password was randomly generated.)
>> >>
>> >> The use of the word 'directly' in "Not allowed to
[...] directly"
>> >> could be interpreted as: changing `unicodePwd` non-locally is
>> >> disallowed (although Samba can't detect that), and that is
indeed
>> >> not the case: LDAP Account Manager
>> >> (https://ldap-account-manager.org/lamcms/) uses the same
approach
>> >> of modifying `unicodePwd`, which works on the same DC.
>> >>
>> >> Looking this error up, it seems like it can be caused by
simply
>> >> passing an incorrectly formatted password:
>> >>
>> >> -
https://lists.samba.org/archive/samba/2015-December/196890.html
>> >> -
>> >>
https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1
>> >>
>> >> ... but as I'm using the code from `samba-tool`, I
don't consider
>> >> that to be likely.
>> >>
>> >> Finally, I tried passing a plaintext string, hoping Samba
would do
>> >> the transformation to binary + Base64 itself (although neither
>> >> `samba-tool` nor LAM do so). As expected, that changes
nothing.
>> >>
>> >> What am I doing wrong or misunderstanding here?
>> >
>> > You are missing that to change an active directory password over
>> > ldap, you don't use ldap, you use ldaps.
>> 
>> That?s not the issue, just tested LDAPS. I?m using LDAP for debugging
>> purposes (no need for a MITM to look at the payload).
>> 
> 
> Try reading this:
> 
>
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password
> 
That page says:

"There are two possible ways to modify the unicodePwd attribute.

[...]

The second way to modify this attribute is analogous to an administrator 
resetting a password for a user. To do this, the client must bind as a 
user with sufficient permissions to modify another user's password. This 
modify request should contain a single replace operation with the new 
desired password surrounded by quotes. If the client has sufficient 
permissions, this password becomes the new password, regardless of what 
the old password was."

... which is what both samba-tool and I do.
> Rowland
Met vriendelijke groeten,

William David Edwards