Rowland Penny
2024-Oct-29 09:12 UTC
[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
On Mon, 28 Oct 2024 17:48:53 +0100 William David Edwards via samba <samba at lists.samba.org> wrote:> Rowland Penny via samba schreef op 2024-10-28 15:32: > > On Mon, 28 Oct 2024 15:01:35 +0100 > > William David Edwards <wedwards at cyberfusion.nl> wrote: > >> > >> As mentioned before, I'm able to log in with a password set using > >> `userPassword` when `fUserPwdSupport` is enabled. > >> > > > > I have only been using Samba 4 for the last 12 years and I have > > never used the 'userPassword' attribute, I have only used the > > 'unicodePwd' attribute. I have a bash script to set a users > > password, but I was lead to believe that Samba was changed to match > > Microsoft AD, in that ldaps had to be used to set/change a users > > password, so I stopped using it. > > > > In an attempt to understand just what is going wrong with your > > attempts to set a users password, I dug the bash script out again, > > tidied it up and tried it, it still works :-( > > > > All I can say is, do not believe everything you read. > > Again, I've tested and confirmed the behaviour of `userPassword` with > the heuristic set.I am not saying that it doesn't work for you, but in 12 years, you are the first person that I have heard of that is trying to use it, everyone else uses the 'unicodePwd' attribute.> > > > > Would you like a copy of my bash script, it might help you in your > > attempts at a python script. > > That would be welcome.Go here: https://github.com/hortimech/Samba/tree/main/bin> > > > > Rowland > > > > PS: Please stop 'CC'ing me. > > Will do.Thank you, when you 'CC' me, I only get the 'CC'ed email and it ends up in the wrong folder and breaks the thread. Rowland
Kees van Vloten
2024-Oct-29 09:57 UTC
[Samba] How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
Op 29-10-2024 om 10:12 schreef Rowland Penny via samba:> On Mon, 28 Oct 2024 17:48:53 +0100 > William David Edwards via samba <samba at lists.samba.org> wrote: > >> Rowland Penny via samba schreef op 2024-10-28 15:32: >>> On Mon, 28 Oct 2024 15:01:35 +0100 >>> William David Edwards <wedwards at cyberfusion.nl> wrote: >>>> As mentioned before, I'm able to log in with a password set using >>>> `userPassword` when `fUserPwdSupport` is enabled. >>>> >>> I have only been using Samba 4 for the last 12 years and I have >>> never used the 'userPassword' attribute, I have only used the >>> 'unicodePwd' attribute. I have a bash script to set a users >>> password, but I was lead to believe that Samba was changed to match >>> Microsoft AD, in that ldaps had to be used to set/change a users >>> password, so I stopped using it. >>> >>> In an attempt to understand just what is going wrong with your >>> attempts to set a users password, I dug the bash script out again, >>> tidied it up and tried it, it still works :-( >>> >>> All I can say is, do not believe everything you read. >> Again, I've tested and confirmed the behaviour of `userPassword` with >> the heuristic set. > I am not saying that it doesn't work for you, but in 12 years, you are > the first person that I have heard of that is trying to use it, > everyone else uses the 'unicodePwd' attribute.AD stores multiple password hashes (with different hash algorithms). You have to send the password in plain text over an encrypted (tls) channel (ldaps or ldap + starttls). With the plain password AD calculates all the hashes, which is otherwise impossible. In Samba, it is possible to add extra hashes in order to be able to sync the password to OpenLDAP or other applications (smb.conf: "password hash userPassword schemes") or even GPG decryptable (smb.conf: "password hash gpg key ids"). AD does never allow changing password over an unencrypted channel to protect the plain password on the wire (not even a ds-heuristic can change that). The "userPassword" attribute can be used (with setting a ds-heuristic value) for compatibility with OpenLDAP. If you do the changes from your own code, there is no need to use it, "unicodePwd" will do the job. Would you want password reset (with a service-account and without looking at password history) instead of changing your own password as a user then you need extra permissions on the service-account.> >>> Would you like a copy of my bash script, it might help you in your >>> attempts at a python script. >> That would be welcome. > Go here: > > https://github.com/hortimech/Samba/tree/main/bin > >>> Rowland >>> >>> PS: Please stop 'CC'ing me. >> Will do. > Thank you, when you 'CC' me, I only get the 'CC'ed email and it ends up > in the wrong folder and breaks the thread. > > Rowland > > >
Apparently Analagous Threads
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"