samba - Oct 2024 - How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"

Op 29-10-2024 om 10:12 schreef Rowland Penny via samba:
> On Mon, 28 Oct 2024 17:48:53 +0100
> William David Edwards via samba <samba at lists.samba.org> wrote:
>
>> Rowland Penny via samba schreef op 2024-10-28 15:32:
>>> On Mon, 28 Oct 2024 15:01:35 +0100
>>> William David Edwards <wedwards at cyberfusion.nl> wrote:
>>>> As mentioned before, I'm able to log in with a password set
using
>>>> `userPassword` when `fUserPwdSupport` is enabled.
>>>>
>>> I have only been using Samba 4 for the last 12 years and I have
>>> never used the 'userPassword' attribute, I have only used
the
>>> 'unicodePwd' attribute. I have a bash script to set a users
>>> password, but I was lead to believe that Samba was changed to match
>>> Microsoft AD, in that ldaps had to be used to set/change a users
>>> password, so I stopped using it.
>>>
>>> In an attempt to understand just what is going wrong with your
>>> attempts to set a users password, I dug the bash script out again,
>>> tidied it up and tried it, it still works :-(
>>>
>>> All I can say is, do not believe everything you read.
>> Again, I've tested and confirmed the behaviour of `userPassword`
with
>> the heuristic set.
> I am not saying that it doesn't work for you, but in 12 years, you are
> the first person that I have heard of that is trying to use it,
> everyone else uses the 'unicodePwd' attribute.
AD stores multiple password hashes (with different hash algorithms). You 
have to send the password in plain text over an encrypted (tls) channel 
(ldaps or ldap + starttls). With the plain password AD calculates all 
the hashes, which is otherwise impossible.

In Samba, it is possible to add extra hashes in order to be able to sync 
the password to OpenLDAP or other applications (smb.conf: "password hash 
userPassword schemes") or even GPG decryptable (smb.conf: "password
hash
gpg key ids").

AD does never allow changing password over an unencrypted channel to 
protect the plain password on the wire (not even a ds-heuristic can 
change that).

The "userPassword" attribute can be used (with setting a ds-heuristic 
value) for compatibility with OpenLDAP. If you do the changes from your 
own code, there is no need to use it, "unicodePwd" will do the job.

Would you want password reset (with a service-account and without 
looking at password history) instead of changing your own password as a 
user then you need extra permissions on the service-account.
>
>>> Would you like a copy of my bash script, it might help you in your
>>> attempts at a python script.
>> That would be welcome.
> Go here:
>
> https://github.com/hortimech/Samba/tree/main/bin
>
>>> Rowland
>>>
>>> PS: Please stop 'CC'ing me.
>> Will do.
> Thank you, when you 'CC' me, I only get the 'CC'ed email
and it ends up
> in the wrong folder and breaks the thread.
>
> Rowland
>   
>
>

On Tue, 29 Oct 2024 10:57:38 +0100
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> 
> Op 29-10-2024 om 10:12 schreef Rowland Penny via samba:
> > On Mon, 28 Oct 2024 17:48:53 +0100
> > William David Edwards via samba <samba at lists.samba.org>
wrote:
> >
> >> Rowland Penny via samba schreef op 2024-10-28 15:32:
> >>> On Mon, 28 Oct 2024 15:01:35 +0100
> >>> William David Edwards <wedwards at cyberfusion.nl>
wrote:
> >>>> As mentioned before, I'm able to log in with a
password set using
> >>>> `userPassword` when `fUserPwdSupport` is enabled.
> >>>>
> >>> I have only been using Samba 4 for the last 12 years and I
have
> >>> never used the 'userPassword' attribute, I have only
used the
> >>> 'unicodePwd' attribute. I have a bash script to set a
users
> >>> password, but I was lead to believe that Samba was changed to
> >>> match Microsoft AD, in that ldaps had to be used to set/change
a
> >>> users password, so I stopped using it.
> >>>
> >>> In an attempt to understand just what is going wrong with your
> >>> attempts to set a users password, I dug the bash script out
again,
> >>> tidied it up and tried it, it still works :-(
> >>>
> >>> All I can say is, do not believe everything you read.
> >> Again, I've tested and confirmed the behaviour of
`userPassword`
> >> with the heuristic set.
> > I am not saying that it doesn't work for you, but in 12 years, you
> > are the first person that I have heard of that is trying to use it,
> > everyone else uses the 'unicodePwd' attribute.
> 
> AD stores multiple password hashes (with different hash algorithms).
> You have to send the password in plain text over an encrypted (tls)
> channel (ldaps or ldap + starttls). With the plain password AD
> calculates all the hashes, which is otherwise impossible.
> 
> In Samba, it is possible to add extra hashes in order to be able to
> sync the password to OpenLDAP or other applications (smb.conf:
> "password hash userPassword schemes") or even GPG decryptable
> (smb.conf: "password hash gpg key ids").
> 
> AD does never allow changing password over an unencrypted channel to 
> protect the plain password on the wire (not even a ds-heuristic can 
> change that).
> 
> The "userPassword" attribute can be used (with setting a
ds-heuristic
> value) for compatibility with OpenLDAP. If you do the changes from
> your own code, there is no need to use it, "unicodePwd" will do
the
> job.
> 
> Would you want password reset (with a service-account and without 
> looking at password history) instead of changing your own password as
> a user then you need extra permissions on the service-account.
> 
All of that matched my thoughts, basically you have to set the
password over ldaps.

Initially Samba allowed the setting of the password over ldap and I
wrote a bash script to do this, but sometime in the past (cannot
remember when), it was announced that you now had to use ldaps, so I
stopped using it and used samba-tool instead.

After this thread started, I resurrected my script, tidied it
up and tried it again, it still works. Perhaps it is because it uses
kerberos for authentication, who knows ?

Rowland