William David Edwards
2024-Oct-28 14:01 UTC
[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
Rowland Penny via samba schreef op 2024-10-28 13:55:> On Mon, 28 Oct 2024 13:37:27 +0100 > William David Edwards <wedwards at cyberfusion.nl> wrote: > >> Rowland Penny via samba schreef op 2024-10-28 12:50: >> > On Mon, 28 Oct 2024 12:17:02 +0100 >> > William David Edwards via samba <samba at lists.samba.org> wrote: >> > >> >> I think I might've found a solution while debugging. >> >> >> >> To understand what I'm doing wrong with `unicodePwd`, I'm trying to >> >> get the LDAP request that LAM does, and compare it to mine. >> >> >> >> As I temporarily switched to an unencrypted connection to be able >> >> to dump the payload without a MTIM, Samba -rightfully- says: >> >> >> >> "Password modification over LDAP must be over an encrypted >> >> connection" >> >> >> >> To mitigate this, I set >> >> `fAllowPasswordOperationsOverNonSecureConnection` (`dSHeuristic` >> >> 13): >> >> >> >> `root at addc-test:~# samba-tool forest directory_service dsheuristics >> >> 0000000011001` >> >> >> >> Note that I also set fUserPwdSupport to 1, which I don't believe to >> >> be needed (as I'm using `unicodePwd`, not `userPassword`), which >> >> means TRUE according to >> >> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5: >> >> >> >> "If this character is neither "0" nor "2", then the fUserPwdSupport >> >> heuristic is TRUE. If this character is "2", then the >> >> fUserPwdSupport heuristic is FALSE. If this character is "0", then >> >> the fUserPwdSupport heuristic is FALSE for AD DS and TRUE for AD >> >> LDS." >> >> >> >> However, after enabling this heuristic, `userPassword` works. You >> >> previously adviced using it instead of `unicodePwd`. This didn't >> >> work, and the attribute was stored plaintext. I now believe this >> >> was the case simply because `userPassword` wasn't enabled (I didn't >> >> realise it requires a heuristic). >> >> >> >> Which begs the question: why does samba-tool go through the trouble >> >> of transforming the user-specified password into something that's >> >> acceptable to `unicodePwd`? >> > >> > Because the unicodePwd attribute is used to store the encoded AD >> > password. >> >> According to >> https://microsoft.public.windows.server.active-directory.narkive.com/Vo4nv0wF/difference-between-userpassword-and-unicodepwd: >> >> "unicodePwd is the "real password attribute" [...] userPassword is >> "switchable". It can be turned into a regular attribute, or it can be >> turned into a write-alias for unicodePwd. AD by default has it as a >> regular attribute. ADAM by default has it as a unicodePwd alias. This >> is controlled by the 9th char of dsHeuristics. 0 is the default >> (different in AD w2k3 and ADAM). 1 means "userPassword is write-alias >> for unicodePwd", 2 means "userPassword is a regular attribute". [...] >> When userPassword is a write-alias for unicodePwd, it is written as a >> regular value, no unicode, no double-quotes. However, passwords can >> never be read." > > This is Samba and on Samba (unless something has changed and I missed > it), userPassword is not an alias for unicodePwd. > >> >> In other words: if `userPassword` is a write-alias for `unicodePwd`, >> a non-encrypted password can be passed, but it can't be read. So, how >> is it relevant that "the unicodePwd attribute is used to store the >> encoded AD password"? >> > > As far as I am aware, the only place that Samba looks for the password > is the 'unicodePwd' attribute, if anyone knows different, please supply > a link to Samba documentation that explains it. >As mentioned before, I'm able to log in with a password set using `userPassword` when `fUserPwdSupport` is enabled.> RowlandMet vriendelijke groeten, William David Edwards
Rowland Penny
2024-Oct-28 14:32 UTC
[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
On Mon, 28 Oct 2024 15:01:35 +0100 William David Edwards <wedwards at cyberfusion.nl> wrote:> > As mentioned before, I'm able to log in with a password set using > `userPassword` when `fUserPwdSupport` is enabled. >I have only been using Samba 4 for the last 12 years and I have never used the 'userPassword' attribute, I have only used the 'unicodePwd' attribute. I have a bash script to set a users password, but I was lead to believe that Samba was changed to match Microsoft AD, in that ldaps had to be used to set/change a users password, so I stopped using it. In an attempt to understand just what is going wrong with your attempts to set a users password, I dug the bash script out again, tidied it up and tried it, it still works :-( All I can say is, do not believe everything you read. Would you like a copy of my bash script, it might help you in your attempts at a python script. Rowland PS: Please stop 'CC'ing me.
Reasonably Related Threads
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"