search for: directory_service

...AP: ``` ldap_exop_passwd(): Passwd modify extended operation failed: Extended Operation(1.3.6.1.4.1.4203.1.11.1) not supported ``` Is this feature (1.3.6.1.4.1.4203.1.11.1) still not supported? Also, I have tried setting dsHeuristics for iutem 9 (fUserPwdSupport) to 1 with: ``` samba-tool forest directory_service dsheuristics 000000001 ``` But there doesn't seem to be a way to get it to reset to "default value" (empty). Any ideas how I would do that? Thanks, Ben

...tried ldap anonymous search in samba. Downloaded kali linux, run enum4linux -a my.dc.domain and get all group, users, sids, rids... without any password o_O Go to https://wiki.samba.org/index.php/FAQ#Does_the_Samba_Internal_LDAP_Server_Supports_Anonymous_Searches? and run samba-tool forest? directory_service dsheuristics 0000000 set dsheuristics: 0000000 then tin again enum4linux -a my.dc.domain and got all the data (users, groups,...)anonymous ldap search again set dsheuristics to 0000002 samba-tool forest directory_service dsheuristics 0000000 set dsheuristics: 0000002 but nothing has changed.....

...load without a MTIM, Samba -rightfully- says: > > "Password modification over LDAP must be over an encrypted connection" > > To mitigate this, I set > `fAllowPasswordOperationsOverNonSecureConnection` (`dSHeuristic` 13): > > `root at addc-test:~# samba-tool forest directory_service dsheuristics > 0000000011001` > > Note that I also set fUserPwdSupport to 1, which I don't believe to > be needed (as I'm using `unicodePwd`, not `userPassword`), which > means TRUE according to > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e58...

...S. I?m using LDAP for >>>>>>> debugging >>>>>>> purposes (no need for a MITM to look at the payload). >>>>>>> >>>>> Did you enable password change via ldap? : >>>>> >>>>> samba-tool forest directory_service dsheuristics '000000001' >>>> >>>> According to >>>> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, >>>> a dSHeuristic is required only for changing passwords over >>>&g...

...;>>> ldap, you don't use ldap, you use ldaps. >>> That?s not the issue, just tested LDAPS. I?m using LDAP for debugging >>> purposes (no need for a MITM to look at the payload). >>> > Did you enable password change via ldap? : > > samba-tool forest directory_service dsheuristics '000000001' According to https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, a dSHeuristic is required only for changing passwords over unencrypted LDAP (`fAllowPasswordOperationsOverNonSecureConnection`). As mentione...

...modification over LDAP must be over an encrypted > >> connection" > >> > >> To mitigate this, I set > >> `fAllowPasswordOperationsOverNonSecureConnection` (`dSHeuristic` > >> 13): > >> > >> `root at addc-test:~# samba-tool forest directory_service dsheuristics > >> 0000000011001` > >> > >> Note that I also set fUserPwdSupport to 1, which I don't believe to > >> be needed (as I'm using `unicodePwd`, not `userPassword`), which > >> means TRUE according to > >> https://learn.microso...

...tive directory password over >>> ldap, you don't use ldap, you use ldaps. >> That?s not the issue, just tested LDAPS. I?m using LDAP for debugging >> purposes (no need for a MITM to look at the payload). >> Did you enable password change via ldap? : samba-tool forest directory_service dsheuristics '000000001' - Kees. > Try reading this: > > https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password > > Rowland >

...-rightfully- says: >> >> "Password modification over LDAP must be over an encrypted connection" >> >> To mitigate this, I set >> `fAllowPasswordOperationsOverNonSecureConnection` (`dSHeuristic` 13): >> >> `root at addc-test:~# samba-tool forest directory_service dsheuristics >> 0000000011001` >> >> Note that I also set fUserPwdSupport to 1, which I don't believe to >> be needed (as I'm using `unicodePwd`, not `userPassword`), which >> means TRUE according to >> https://learn.microsoft.com/en-us/openspecs/windows...

...he issue, just tested LDAPS. I?m using LDAP for >>>>>> debugging >>>>>> purposes (no need for a MITM to look at the payload). >>>>>> >>>> Did you enable password change via ldap? : >>>> >>>> samba-tool forest directory_service dsheuristics '000000001' >>> >>> According to >>> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, >>> a dSHeuristic is required only for changing passwords over >>> unencrypted LDAP (...

...u don't use ldap, you use ldaps. >>>> That?s not the issue, just tested LDAPS. I?m using LDAP for debugging >>>> purposes (no need for a MITM to look at the payload). >>>> >> Did you enable password change via ldap? : >> >> samba-tool forest directory_service dsheuristics '000000001' > > According to > https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, > a dSHeuristic is required only for changing passwords over unencrypted > LDAP (`fAllowPasswordOperationsOverNonSecureCo...

Hi, Is there any setting in smb.conf that prevents the AD enumeration like user, group or computer enumeration? We tried to follow different methods recommended by Microsoft for the AD. But they don't seem to work. Still using apps like powershell, we can still enumerate the users, groups etc. Best regards, Anantha Raghava

...contributed. We would welcome such a feature, but note it would need to be quite carefully implemented and tested to ensure it honours all the appropriate ACLs. > Also, I > have tried setting dsHeuristics for iutem 9 (fUserPwdSupport) to 1 > with: > > ``` > samba-tool forest directory_service dsheuristics 000000001 > ``` > > But there doesn't seem to be a way to get it to reset to "default > value" (empty). Any ideas how I would do that? All-zeros will be the default, but aside from wanting to match a Windows 2000 era behaviour exactly, fUserPwdSupport makes...

...;>> That?s not the issue, just tested LDAPS. I?m using LDAP for >>>>> debugging >>>>> purposes (no need for a MITM to look at the payload). >>>>> >>> Did you enable password change via ldap? : >>> >>> samba-tool forest directory_service dsheuristics '000000001' >> >> According to >> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5, >> a dSHeuristic is required only for changing passwords over unencrypted >> LDAP (`fAllowPasswordOper...

...t be over an encrypted >> >> connection" >> >> >> >> To mitigate this, I set >> >> `fAllowPasswordOperationsOverNonSecureConnection` (`dSHeuristic` >> >> 13): >> >> >> >> `root at addc-test:~# samba-tool forest directory_service dsheuristics >> >> 0000000011001` >> >> >> >> Note that I also set fUserPwdSupport to 1, which I don't believe to >> >> be needed (as I'm using `unicodePwd`, not `userPassword`), which >> >> means TRUE according to >> >&gt...

On Sun, 27 Oct 2024 15:08:14 +0100 William Edwards <wedwards at cyberfusion.nl> wrote: > > > Op 27 okt 2024 om 14:50 heeft Rowland Penny via samba > > <samba at lists.samba.org> het volgende geschreven: > > > > ?On Sun, 27 Oct 2024 13:58:56 +0100 > > William David Edwards via samba <samba at lists.samba.org> wrote: > > > >> Hi,