samba - Oct 2024 - How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"

Op 27-10-2024 om 15:31 schreef Rowland Penny via samba:
> On Sun, 27 Oct 2024 15:08:14 +0100
> William Edwards <wedwards at cyberfusion.nl> wrote:
>
>>> Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba
>>> <samba at lists.samba.org> het volgende geschreven:
>>>
>>> ?On Sun, 27 Oct 2024 13:58:56 +0100
>>> William David Edwards via samba <samba at lists.samba.org>
wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm tying to set user's LDAP passwords using LDAP.
>>>>
>>>> `samba-tool user setpassword` does so by setting the write-only
>>>> `unicodePwd` attribute, but turning it into binary and
>>>> Base64-encoding it first:
>>>>
>>>> ```
>>>> if not isinstance(password, str):
>>>>      pw = password.decode('utf-8')
>>>> else:
>>>>      pw = password
>>>> pw = ('"' + pw +
'"').encode('utf-16-le')
>>>>
>>>> setpw = """
>>>> dn: %s
>>>> changetype: modify
>>>> replace: unicodePwd
>>>> unicodePwd:: %s
>>>> """ % (user_dn,
base64.b64encode(pw).decode('utf-8'))
>>>> ```
>>>>
>>>> When doing the same, Samba returns:
>>>>
>>>>      00002035: setup_io: it's not allowed to set the NT
hash
>>>> password directly' Code: 0x35
>>>>
>>>> This happens both when 1) passing `unicodePwd` during entry
>>>> creation, and 2) when modifying it for an existing entry (like
>>>> `samba-tool` does).
>>>>
>>>> This is the (Wireshark-interpreted) `ModifyRequest`:
>>>>
>>>> ```
>>>> Lightweight Directory Access Protocol
>>>>      LDAPMessage modifyRequest(3)
>>>>
"CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl"
>>>>          messageID: 3
>>>>          protocolOp: modifyRequest (6)
>>>>              modifyRequest
>>>>                  object:
>>>> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl
>>>>                  modification: 1 item
>>>>                      modification item
>>>>                          operation: replace (2)
>>>>                          modification unicodePwd
>>>>                              type: unicodePwd
>>>>                              vals: 1 item
>>>>                                  AttributeValue:
>>>>
IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>>>>
```
>>>>
>>>> (The Base64-encoded password was randomly generated.)
>>>>
>>>> The use of the word 'directly' in "Not allowed to
[...] directly"
>>>> could be interpreted as: changing `unicodePwd` non-locally is
>>>> disallowed (although Samba can't detect that), and that is
indeed
>>>> not the case: LDAP Account Manager
>>>> (https://ldap-account-manager.org/lamcms/) uses the same
approach
>>>> of modifying `unicodePwd`, which works on the same DC.
>>>>
>>>> Looking this error up, it seems like it can be caused by simply
>>>> passing an incorrectly formatted password:
>>>>
>>>> -
https://lists.samba.org/archive/samba/2015-December/196890.html
>>>> -
>>>>
https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1
>>>>
>>>> ... but as I'm using the code from `samba-tool`, I
don't consider
>>>> that to be likely.
>>>>
>>>> Finally, I tried passing a plaintext string, hoping Samba would
do
>>>> the transformation to binary + Base64 itself (although neither
>>>> `samba-tool` nor LAM do so). As expected, that changes nothing.
>>>>
>>>> What am I doing wrong or misunderstanding here?
>>> You are missing that to change an active directory password over
>>> ldap, you don't use ldap, you use ldaps.
>> That?s not the issue, just tested LDAPS. I?m using LDAP for debugging
>> purposes (no need for a MITM to look at the payload).
>>
Did you enable password change via ldap? :

samba-tool forest directory_service dsheuristics '000000001'

- Kees.

> Try reading this:
>
>
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password
>
> Rowland
>

Kees van Vloten via samba schreef op 2024-10-27 15:37:
> Op 27-10-2024 om 15:31 schreef Rowland Penny via samba:
>> On Sun, 27 Oct 2024 15:08:14 +0100
>> William Edwards <wedwards at cyberfusion.nl> wrote:
>> 
>>>> Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba
>>>> <samba at lists.samba.org> het volgende geschreven:
>>>> 
>>>> ?On Sun, 27 Oct 2024 13:58:56 +0100
>>>> William David Edwards via samba <samba at
lists.samba.org> wrote:
>>>> 
>>>>> Hi,
>>>>> 
>>>>> I'm tying to set user's LDAP passwords using LDAP.
>>>>> 
>>>>> `samba-tool user setpassword` does so by setting the
write-only
>>>>> `unicodePwd` attribute, but turning it into binary and
>>>>> Base64-encoding it first:
>>>>> 
>>>>> ```
>>>>> if not isinstance(password, str):
>>>>>      pw = password.decode('utf-8')
>>>>> else:
>>>>>      pw = password
>>>>> pw = ('"' + pw +
'"').encode('utf-16-le')
>>>>> 
>>>>> setpw = """
>>>>> dn: %s
>>>>> changetype: modify
>>>>> replace: unicodePwd
>>>>> unicodePwd:: %s
>>>>> """ % (user_dn,
base64.b64encode(pw).decode('utf-8'))
>>>>> ```
>>>>> 
>>>>> When doing the same, Samba returns:
>>>>> 
>>>>>      00002035: setup_io: it's not allowed to set the NT
hash
>>>>> password directly' Code: 0x35
>>>>> 
>>>>> This happens both when 1) passing `unicodePwd` during entry
>>>>> creation, and 2) when modifying it for an existing entry
(like
>>>>> `samba-tool` does).
>>>>> 
>>>>> This is the (Wireshark-interpreted) `ModifyRequest`:
>>>>> 
>>>>> ```
>>>>> Lightweight Directory Access Protocol
>>>>>      LDAPMessage modifyRequest(3)
>>>>>
"CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl"
>>>>>          messageID: 3
>>>>>          protocolOp: modifyRequest (6)
>>>>>              modifyRequest
>>>>>                  object:
>>>>> CN=williamedwards1730031523476,CN=Users,DC=ldaptest,DC=nl
>>>>>                  modification: 1 item
>>>>>                      modification item
>>>>>                          operation: replace (2)
>>>>>                          modification unicodePwd
>>>>>                              type: unicodePwd
>>>>>                              vals: 1 item
>>>>>                                  AttributeValue:
>>>>>
IgARADwACAAiAHwATwBZAFAAdAB0AGQARQBKAE8AawBVAHoAfwBqAFwANAAtAGYAXAA4ADoADgBcAEsAKwBGAFoAIgA>>>>>
```
>>>>> 
>>>>> (The Base64-encoded password was randomly generated.)
>>>>> 
>>>>> The use of the word 'directly' in "Not allowed
to [...] directly"
>>>>> could be interpreted as: changing `unicodePwd` non-locally
is
>>>>> disallowed (although Samba can't detect that), and that
is indeed
>>>>> not the case: LDAP Account Manager
>>>>> (https://ldap-account-manager.org/lamcms/) uses the same
approach
>>>>> of modifying `unicodePwd`, which works on the same DC.
>>>>> 
>>>>> Looking this error up, it seems like it can be caused by
simply
>>>>> passing an incorrectly formatted password:
>>>>> 
>>>>> -
https://lists.samba.org/archive/samba/2015-December/196890.html
>>>>> -
>>>>>
https://lsc-users.lsc-project.narkive.com/3Ltw5zOZ/pushing-a-password-to-samba-4#post1
>>>>> 
>>>>> ... but as I'm using the code from `samba-tool`, I
don't consider
>>>>> that to be likely.
>>>>> 
>>>>> Finally, I tried passing a plaintext string, hoping Samba
would do
>>>>> the transformation to binary + Base64 itself (although
neither
>>>>> `samba-tool` nor LAM do so). As expected, that changes
nothing.
>>>>> 
>>>>> What am I doing wrong or misunderstanding here?
>>>> You are missing that to change an active directory password
over
>>>> ldap, you don't use ldap, you use ldaps.
>>> That?s not the issue, just tested LDAPS. I?m using LDAP for
debugging
>>> purposes (no need for a MITM to look at the payload).
>>> 
> Did you enable password change via ldap? :
> 
> samba-tool forest directory_service dsheuristics '000000001'
According to 
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5,
a dSHeuristic is required only for changing passwords over unencrypted 
LDAP (`fAllowPasswordOperationsOverNonSecureConnection`).

As mentioned, modifying `unicodePwd` does not work over LDAPS either in 
my specific case, so a heuristic should not be needed. Also, changing 
passwords the same way *does* work from samba-tool and LAM.
> 
> - Kees.
> 
> 
>> Try reading this:
>> 
>>
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password
>> 
>> Rowland
>> 
Met vriendelijke groeten,

William David Edwards