samba - Dec 2024 - Import of exported unicodePwd does not update Kerberos password

On Mon, 2 Dec 2024 10:54:38 +0100
"Emil.s via samba" <samba at lists.samba.org> wrote:
> Hello,
> 
> I'm troubleshooting an old backup script that exports and imports
> users from a Samba database using `samba-tool`.
> 
> It's implemented so that passwords are exported using "samba-tool
user
> getpassword {username} --attributes=unicodePwd".
> On the import side, an LDIF file is created in the following format:
> ```
> dn: CN={username},OU=Users,DC=example,DC=com
> changetype: modify
> replace: unicodePwd
> unicodePwd:: {unicodePwd_string_here}
> ```
> This file is then applied using `ldbmodify -H
> /var/lib/samba/private/sam.ldb
> --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0`.
> 
> However, this no longer seems to work, at least not for Kerberos. I've
> found and tried the `--pw-nt-hash` option, but it doesn't make a
> difference.
> 
> After applying the password, I can "login" using "smbclient
-L
> //localhost -U {username}".
> But if I try to issue a Kerberos ticket using "kinit {username}"
I
> get a "kinit: Password incorrect while getting initial
credentials"
> error.
> 
> However, if I generate a new password string and apply it without the
> `--controls`, or set a password using "samba-tool user
setpassword",
> everything works as usual.
> 
> Has anything changed here during the last few years? 
Yes, quite a lot.
If you follow the way that Microsoft does things, you aren't really
supposed to be able to read the contents of the unicodePwd attribute,
it is supposed to be write-only. You can read the attribute on Samba,
but what you get back isn't the password, is a 64bit hash of the
password.
> And what would
> be the correct way to restore a password that was previously exported
> using samba-tool?
There isn't one, not unless you know the actual plain password and you
can no longer obtain this. You can set a new password and force the
user to change it at next logon.
 
> Or is there any new or prefered method to create a backup of a user
> including the password?
Why would you backup a user ?
You should only backup the domain and then only use such a backup in
catastrophic cases, such as all your DCs failing at once. The correct
backup is to run multiple DCs.

Rowland

> it is supposed to be write-only. You can read the attribute on Samba,
> but what you get back isn't the password, is a 64bit hash of the
> password.
Ah, right. I guess this is somewhat legacy functionality then?
> Why would you backup a user ?
I see many cases where this could be useful:
* Pre-provisioning of users where we get the user list from a 3rd party
source.
* Copying of users from one system to another.

I guess the root cause here is that the same script seems to be used for
both importing new accounts (with plaintext passwords), as well as
restoring previously "exported" users from the system.
Hence it was convenient to just loop over each user regardless of the case.
> The correct backup is to run multiple DCs.
Multiple DCs might get redundancy and higher availability, but it's not a
backup of the data.
It won't protect against data corruption, accidents, and
malicious activities.

To give some context we are deploying fully independent systems in isolated
environments. However some users might have to exist in multiple
environments (and could previously be "copied" by exporting the user +
password hash from one system to another).
In many other systems (like the host Linux OS, SQL databases, etc.) the
user credentials is just a pair of username and hashed, salted password.
But I understand if Kerberos and SSO solutions make this more complicated.

Anyhow, I guess a full AD backup using `samba-tool domain backup` is the
way forward here.

I was mostly curious about how things are supposed to work these days. The
script is many years old and will need a rewrite anyhow.

Thanks,

// Emil Sandnabba


On Mon, 2 Dec 2024 at 13:58, Rowland Penny via samba <samba at
lists.samba.org>
wrote:
> On Mon, 2 Dec 2024 10:54:38 +0100
> "Emil.s via samba" <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > I'm troubleshooting an old backup script that exports and imports
> > users from a Samba database using `samba-tool`.
> >
> > It's implemented so that passwords are exported using
"samba-tool user
> > getpassword {username} --attributes=unicodePwd".
> > On the import side, an LDIF file is created in the following format:
> > ```
> > dn: CN={username},OU=Users,DC=example,DC=com
> > changetype: modify
> > replace: unicodePwd
> > unicodePwd:: {unicodePwd_string_here}
> > ```
> > This file is then applied using `ldbmodify -H
> > /var/lib/samba/private/sam.ldb
> > --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0`.
> >
> > However, this no longer seems to work, at least not for Kerberos.
I've
> > found and tried the `--pw-nt-hash` option, but it doesn't make a
> > difference.
> >
> > After applying the password, I can "login" using
"smbclient -L
> > //localhost -U {username}".
> > But if I try to issue a Kerberos ticket using "kinit
{username}" I
> > get a "kinit: Password incorrect while getting initial
credentials"
> > error.
> >
> > However, if I generate a new password string and apply it without the
> > `--controls`, or set a password using "samba-tool user
setpassword",
> > everything works as usual.
> >
> > Has anything changed here during the last few years?
>
> Yes, quite a lot.
> If you follow the way that Microsoft does things, you aren't really
> supposed to be able to read the contents of the unicodePwd attribute,
> it is supposed to be write-only. You can read the attribute on Samba,
> but what you get back isn't the password, is a 64bit hash of the
> password.
>
> > And what would
> > be the correct way to restore a password that was previously exported
> > using samba-tool?
>
> There isn't one, not unless you know the actual plain password and you
> can no longer obtain this. You can set a new password and force the
> user to change it at next logon.
>
> > Or is there any new or prefered method to create a backup of a user
> > including the password?
>
> Why would you backup a user ?
> You should only backup the domain and then only use such a backup in
> catastrophic cases, such as all your DCs failing at once. The correct
> backup is to run multiple DCs.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>