search for: supplementalcredenti

...gt; script (I used 'ldbsearch -H ... unicodePwd' to get the things >> checked). >> >> Is there any other step I should take in order to get Windows logon >> working >> normally with the accounts I create that way? > > My guess is that the Kerberos keys in supplementalCredentials have not > been removed. Those are still set to the random password, and windows > 7 is using Kerberos. Dear Andrew, I confirmed that 'supplementalCredentials' has different values depending on whether I use 'samba-tool' or 'ldbmodify' to set the password. Th...

...me out with 4.5.0. I was hoping to use this feature to pipe a ssha1 and HA1 hashes into an external ldap. Looking at the command line doc and then at the source code, it gets a bit more clear to me and I wanted to have some confirmation on that process. It seems that the only added value in the supplementalCredential attribute is the GPG encrypted password value (Primary:SambaGPG). And then the PDC running the syncpasswords daemon, which would have the gpg private key, monitors the ldap change. When a supplementalCredentials attribute change event occurs, one can use getPassword command and the private k...

On Sun, 2017-04-09 at 16:12 +0100, Rowland Penny via samba wrote: > On Sun, 09 Apr 2017 14:47:59 +0000 > Leonardo Bruno Lopes via samba <samba at lists.samba.org> wrote: > > > > > Is there any chance that this could mean I only need to wipe   > > 'supplementalCredentials' attribute -- I saw that it is possible > > --   > > after set the password with 'ldbmodify'? Unfortunately I can't > > get   > > this tested until tomorrow. > > > > try using something like this in your script: More like: ldbmodify -H /usr...

...apsync or similar, then, when everything is done, restore the previous password of the users (without forcing them to reset it) I've red this thread : https://lists.samba.org/archive/samba/2017-April/207637.html. So, it should be possible to backup the unicodePwd attr, then restore it and wipe supplementalCredentials. But, I'd prefer being able to generate AES kerb tickets (as users do not change their password often) Can I backup the whole user entry, and restore it later ? Or just a set of attributes ? Only supplementalCredentials and unicodePwd are enough ? In the SMB 3 days, I could just backup has...

Dean Andrew and List, I posted here >>https://lists.samba.org/archive/samba/2017-April/207671.html<< that my problem was solved, but I have the following question: What is the possible security issues that may come from removing the 'supplementalCredentials' attribute? Thanks, Leonardo Citando Andrew Bartlett <abartlet at samba.org>: > On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba > wrote: >> >> Dear Andrew, >> >> I confirmed that 'supplementalCredentials' has different values ...

Hi all. I'm migrating from a small OpenLDAP setup and currently have users' password hashes in {SSHA} and {CRYPT}$5$.16s format. Can I just ldbedit or ldbmodify user's supplementalCredentials fields in /var/lib/samba/private/sam.ldb.d/DC%3DAD%2CDC%3DEXAMPLE%2CDC%3DCOM.ldb to migrate passwords? Provided that I could get the data structure right. (Documentations about supplementalCredentials should be here I think https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/8...

...o use this feature > to pipe a ssha1 and HA1 hashes into an external ldap. > > Looking at the command line doc and then at the source code, it gets a > bit more clear to me and I wanted to have some confirmation on that > process. > > It seems that the only added value in the supplementalCredential > attribute is the GPG encrypted password value (Primary:SambaGPG). Yes. > And then the PDC running the syncpasswords daemon, which would have the > gpg private key, monitors the ldap change. > > When a supplementalCredentials attribute change event occurs, one can > use getP...

...2016-10-19 at 10:10 +0200, Stefan Metzmacher via samba wrote: > Hi Dennis, > > >  > > > > If this is the way it works, I was wondering if is there a reason > > why > > not directly storing the required hashes (ssha1, ssha256, etc.) > > into the > > supplementalCredentials attribute on the DC doing the password > > change? > > Because it's much more flexible that way and you can construct any > new > hashing scheme that will be invented in future. > > If someone wants to implement storing a set of pre-calculated hashes, > maybe in...

Le 05/09/2019 ? 12:38, Rowland penny via samba a ?crit?: >> >> Can I backup the whole user entry, and restore it later ? Or just a set >> of attributes ? Only supplementalCredentials and unicodePwd are enough ? > > No, you cannot backup and restore the entire AD object, a lot of the > attributes are only writeable by the system. Even with ldbmodify ? > > You can certainly try to do what you propose, but I think your best > option would be to change the...

...ut can someone confirm that >> unicodePwd cannot be read / wrote trough a LDAPS connection ? Is >> there any workaround ? The unicodePwd attribute is not used by AD. Active Directory use multiple kerberos hashes with different encryption type and a NTLM hash and they are store in the supplementalCredentials attribute (which is neither readable of writable directly through LDAP). If you want to pipe a password hash from an OpenLDAP to a Samba-AD, the only solution is to have the NTLM hash and use the pdbedit --set-nt-hash command line on the domain controller. It will store the NTLM hash and cr...

...PwdHistory > passwordAttribute: lmPwdHash > passwordAttribute: sambaLMPwdHistory > passwordAttribute: krb5key > passwordAttribute: dBCSPwd > passwordAttribute: unicodePwd > passwordAttribute: ntPwdHistory > passwordAttribute: lmPwdHistory > passwordAttribute: supplementalCredentials > passwordAttribute: priorValue > passwordAttribute: currentValue > passwordAttribute: trustAuthOutgoing > passwordAttribute: trustAuthIncoming > passwordAttribute: initialAuthOutgoing > passwordAttribute: initialAuthIncoming > passwordAttribute: pekList >...

On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba wrote: > > Dear Andrew, > > I confirmed that 'supplementalCredentials' has different values   > depending on whether I use 'samba-tool' or 'ldbmodify' to set the   > password. That seems to confirm your initial guess. > > > The code in pdb_samba_dsdb that owns the OID you use always removes > > this attribute when setting...

...everything is done, restore the previous > password of the users (without forcing them to reset it) > > I've red this thread : > https://lists.samba.org/archive/samba/2017-April/207637.html. So, it > should be possible to backup the unicodePwd attr, then restore it and > wipe supplementalCredentials. But, I'd prefer being able to generate AES > kerb tickets (as users do not change their password often) > > Can I backup the whole user entry, and restore it later ? Or just a set > of attributes ? Only supplementalCredentials and unicodePwd are enough ? No, you cannot backup a...

Reopening an old question that wasn't answered (as far as I know) How do you retrieve a plaintext password from the "supplementalCredentials" field when "store-plaintext-password" is used? Another question I've been looking for but didn't found any clear answer. Is "passwd program" parameter intended to be implemented/supported for samba4 DC in the near future? I'm struggling to get the same s...

...r that, it's pretty much our server-side web form to re-init passwords. The problem is that I need to store somewhere as plaintext the default password for each user, which is prompted to change at the 1st connexion. I turned on "--store-plaintext on" via samba-tool and read "supplementalCredentials", looked for "Store passwords using reversible encryption"... I don't think it's the right way since I don't want to be able to decode new passwords... Paul Le 17/06/2015 09:37, L.P.H. van Belle a ?crit : > Nice enviroment Paul.. > > have a look here. &gt...

Hi everyone! I have a LDAP with all my users' accounts, each one with the sambaNTPassaword correctly defined. I also have a freshly installed Samba 4.2 running on a Debian 8.7 box. I followed the instructions described by Steve ThompsSmabon here <https://lists.samba.org/archive/samba/2014-June/182196.html> and I am able to create a Samba 4 domain account ('samba-tool user add ...

...work. The join seems to run smoothly. But, after the join, this command: ldapsearch -LLL -x -H ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b "dc=test,dc=dom" "(SAMAccountName=Administrateur)" returns some strange results: ? some attributes like unicodePwd and supplementalCredentials are missing ? lots of attributes are base64 encoded, example: ?description:: Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24= (for information python base64.decodestring('Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=') gives 'Compte d\xe2\x80\x99utilisateur d\x...

...tribute: lmPwdHash >> ? passwordAttribute: sambaLMPwdHistory >> ? passwordAttribute: krb5key >> ? passwordAttribute: dBCSPwd >> ? passwordAttribute: unicodePwd >> ? passwordAttribute: ntPwdHistory >> ? passwordAttribute: lmPwdHistory >> ? passwordAttribute: supplementalCredentials >> ? passwordAttribute: priorValue >> ? passwordAttribute: currentValue >> ? passwordAttribute: trustAuthOutgoing >> ? passwordAttribute: trustAuthIncoming >> ? passwordAttribute: initialAuthOutgoing >> ? passwordAttribute: initialAuthIncoming >> ? passw...

...OU=Users,OU=klingons,OU=Organizations,DC=xxx, xx=net pwdLastSet: 132112663830494760 userPrincipalName: gorkon_klingons at klingons.imp sAMAccountName: gorkon_klingons userAccountControl: 512 objectGUID: 7d1b0000-b7f7-4fda-8479-b5cb70a01030 instanceType: 4 # unicodePwd::: REDACTED SECRET ATTRIBUTE # supplementalCredentials::: REDACTED SECRET ATTRIBUTE Fri Oct 4 12:29:52 2019: pid[985]: # Passwords[0] 7d1b0000-b7f7-4fda- 8479-b5cb70a01030 S-1-5-21-1608159440-4144762864-1017073214-15729 # attrs=['dn', 'mail', 'objectGUID', 'objectSid', 'proxyAddresses', 'pwdLastSet',...

Hi All, As a result of a company restructure and name change we need to change our AD domain. I know that we can't change the AD domain name in Samba 4, so I'm looking at the smoothest way to migrate everything from one domain to another. Is there any (properly working) way we can export users, groups and policies from one domain and import them into another? I've spent a few