search for: supplementalcredenti

Displaying 20 results from an estimated 87 matches for "supplementalcredenti".

Did you mean: supplementalcredential
2017 Apr 09
6
Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
...gt; script (I used 'ldbsearch -H ... unicodePwd' to get the things >> checked). >> >> Is there any other step I should take in order to get Windows logon >> working >> normally with the accounts I create that way? > > My guess is that the Kerberos keys in supplementalCredentials have not > been removed. Those are still set to the random password, and windows > 7 is using Kerberos. Dear Andrew, I confirmed that 'supplementalCredentials' has different values depending on whether I use 'samba-tool' or 'ldbmodify' to set the password. Th...
2016 Oct 18
3
samba-tool user syncpasswords / getpassword usage and clarifications
...me out with 4.5.0. I was hoping to use this feature to pipe a ssha1 and HA1 hashes into an external ldap. Looking at the command line doc and then at the source code, it gets a bit more clear to me and I wanted to have some confirmation on that process. It seems that the only added value in the supplementalCredential attribute is the GPG encrypted password value (Primary:SambaGPG). And then the PDC running the syncpasswords daemon, which would have the gpg private key, monitors the ldap change. When a supplementalCredentials attribute change event occurs, one can use getPassword command and the private k...
2017 Apr 09
1
Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
On Sun, 2017-04-09 at 16:12 +0100, Rowland Penny via samba wrote: > On Sun, 09 Apr 2017 14:47:59 +0000 > Leonardo Bruno Lopes via samba <samba at lists.samba.org> wrote: > > > > > Is there any chance that this could mean I only need to wipe   > > 'supplementalCredentials' attribute -- I saw that it is possible > > --   > > after set the password with 'ldbmodify'? Unfortunately I can't > > get   > > this tested until tomorrow. > > > > try using something like this in your script: More like: ldbmodify -H /usr...
2019 Sep 05
2
Set a temporary password on user accounts (samba4)
...apsync or similar, then, when everything is done, restore the previous password of the users (without forcing them to reset it) I've red this thread : https://lists.samba.org/archive/samba/2017-April/207637.html. So, it should be possible to backup the unicodePwd attr, then restore it and wipe supplementalCredentials. But, I'd prefer being able to generate AES kerb tickets (as users do not change their password often) Can I backup the whole user entry, and restore it later ? Or just a set of attributes ? Only supplementalCredentials and unicodePwd are enough ? In the SMB 3 days, I could just backup has...
2017 Apr 12
2
Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
Dean Andrew and List, I posted here >>https://lists.samba.org/archive/samba/2017-April/207671.html<< that my problem was solved, but I have the following question: What is the possible security issues that may come from removing the 'supplementalCredentials' attribute? Thanks, Leonardo Citando Andrew Bartlett <abartlet at samba.org>: > On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba > wrote: >> >> Dear Andrew, >> >> I confirmed that 'supplementalCredentials' has different values ...
2023 Aug 21
1
Editing user password hashes
Hi all. I'm migrating from a small OpenLDAP setup and currently have users' password hashes in {SSHA} and {CRYPT}$5$.16s format. Can I just ldbedit or ldbmodify user's supplementalCredentials fields in /var/lib/samba/private/sam.ldb.d/DC%3DAD%2CDC%3DEXAMPLE%2CDC%3DCOM.ldb to migrate passwords? Provided that I could get the data structure right. (Documentations about supplementalCredentials should be here I think https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/8...
2016 Oct 19
0
samba-tool user syncpasswords / getpassword usage and clarifications
...o use this feature > to pipe a ssha1 and HA1 hashes into an external ldap. > > Looking at the command line doc and then at the source code, it gets a > bit more clear to me and I wanted to have some confirmation on that > process. > > It seems that the only added value in the supplementalCredential > attribute is the GPG encrypted password value (Primary:SambaGPG). Yes. > And then the PDC running the syncpasswords daemon, which would have the > gpg private key, monitors the ldap change. > > When a supplementalCredentials attribute change event occurs, one can > use getP...
2016 Oct 21
1
samba-tool user syncpasswords / getpassword usage and clarifications
...2016-10-19 at 10:10 +0200, Stefan Metzmacher via samba wrote: > Hi Dennis, > > >  > > > > If this is the way it works, I was wondering if is there a reason > > why > > not directly storing the required hashes (ssha1, ssha256, etc.) > > into the > > supplementalCredentials attribute on the DC doing the password > > change? > > Because it's much more flexible that way and you can construct any > new > hashing scheme that will be invented in future. > > If someone wants to implement storing a set of pre-calculated hashes, > maybe in...
2019 Sep 05
2
Set a temporary password on user accounts (samba4)
Le 05/09/2019 ? 12:38, Rowland penny via samba a ?crit?: >> >> Can I backup the whole user entry, and restore it later ? Or just a set >> of attributes ? Only supplementalCredentials and unicodePwd are enough ? > > No, you cannot backup and restore the entire AD object, a lot of the > attributes are only writeable by the system. Even with ldbmodify ? > > You can certainly try to do what you propose, but I think your best > option would be to change the...
2018 Sep 28
2
Synchronizing passwords to Samba 4
...ut can someone confirm that >> unicodePwd cannot be read / wrote trough a LDAPS connection ? Is >> there any workaround ? The unicodePwd attribute is not used by AD. Active Directory use multiple kerberos hashes with different encryption type and a NTLM hash and they are store in the supplementalCredentials attribute (which is neither readable of writable directly through LDAP). If you want to pipe a password hash from an OpenLDAP to a Samba-AD, the only solution is to have the NTLM hash and use the pdbedit --set-nt-hash command line on the domain controller. It will store the NTLM hash and cr...
2020 Oct 14
2
azure ad provisioning | password hashes sync
...PwdHistory > passwordAttribute: lmPwdHash > passwordAttribute: sambaLMPwdHistory > passwordAttribute: krb5key > passwordAttribute: dBCSPwd > passwordAttribute: unicodePwd > passwordAttribute: ntPwdHistory > passwordAttribute: lmPwdHistory > passwordAttribute: supplementalCredentials > passwordAttribute: priorValue > passwordAttribute: currentValue > passwordAttribute: trustAuthOutgoing > passwordAttribute: trustAuthIncoming > passwordAttribute: initialAuthOutgoing > passwordAttribute: initialAuthIncoming > passwordAttribute: pekList >...
2017 Apr 09
0
Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba wrote: > > Dear Andrew, > > I confirmed that 'supplementalCredentials' has different values   > depending on whether I use 'samba-tool' or 'ldbmodify' to set the   > password. That seems to confirm your initial guess. > > > The code in pdb_samba_dsdb that owns the OID you use always removes > > this attribute when setting...
2019 Sep 05
0
Set a temporary password on user accounts (samba4)
...everything is done, restore the previous > password of the users (without forcing them to reset it) > > I've red this thread : > https://lists.samba.org/archive/samba/2017-April/207637.html. So, it > should be possible to backup the unicodePwd attr, then restore it and > wipe supplementalCredentials. But, I'd prefer being able to generate AES > kerb tickets (as users do not change their password often) > > Can I backup the whole user entry, and restore it later ? Or just a set > of attributes ? Only supplementalCredentials and unicodePwd are enough ? No, you cannot backup a...
2014 Oct 08
1
Password setup issues
Reopening an old question that wasn't answered (as far as I know) How do you retrieve a plaintext password from the "supplementalCredentials" field when "store-plaintext-password" is used? Another question I've been looking for but didn't found any clear answer. Is "passwd program" parameter intended to be implemented/supported for samba4 DC in the near future? I'm struggling to get the same s...
2015 Jun 18
2
Default password recovery feature
...r that, it's pretty much our server-side web form to re-init passwords. The problem is that I need to store somewhere as plaintext the default password for each user, which is prompted to change at the 1st connexion. I turned on "--store-plaintext on" via samba-tool and read "supplementalCredentials", looked for "Store passwords using reversible encryption"... I don't think it's the right way since I don't want to be able to decode new passwords... Paul Le 17/06/2015 09:37, L.P.H. van Belle a ?crit : > Nice enviroment Paul.. > > have a look here. &gt...
2017 Apr 07
4
Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
Hi everyone! I have a LDAP with all my users' accounts, each one with the sambaNTPassaword correctly defined. I also have a freshly installed Samba 4.2 running on a Debian 8.7 box. I followed the instructions described by Steve ThompsSmabon here <https://lists.samba.org/archive/samba/2014-June/182196.html> and I am able to create a Samba 4 domain account ('samba-tool user add ...
2015 Mar 03
2
Synchronization problems between Win2k8R2 and samba
...work. The join seems to run smoothly. But, after the join, this command: ldapsearch -LLL -x -H ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b "dc=test,dc=dom" "(SAMAccountName=Administrateur)" returns some strange results: ? some attributes like unicodePwd and supplementalCredentials are missing ? lots of attributes are base64 encoded, example: ?description:: Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24= (for information python base64.decodestring('Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=') gives 'Compte d\xe2\x80\x99utilisateur d\x...
2020 Oct 14
0
azure ad provisioning | password hashes sync
...tribute: lmPwdHash >> ? passwordAttribute: sambaLMPwdHistory >> ? passwordAttribute: krb5key >> ? passwordAttribute: dBCSPwd >> ? passwordAttribute: unicodePwd >> ? passwordAttribute: ntPwdHistory >> ? passwordAttribute: lmPwdHistory >> ? passwordAttribute: supplementalCredentials >> ? passwordAttribute: priorValue >> ? passwordAttribute: currentValue >> ? passwordAttribute: trustAuthOutgoing >> ? passwordAttribute: trustAuthIncoming >> ? passwordAttribute: initialAuthOutgoing >> ? passwordAttribute: initialAuthIncoming >> ? passw...
2019 Oct 04
2
samba-tool user syncpasswords crashes with python3
...OU=Users,OU=klingons,OU=Organizations,DC=xxx, xx=net pwdLastSet: 132112663830494760 userPrincipalName: gorkon_klingons at klingons.imp sAMAccountName: gorkon_klingons userAccountControl: 512 objectGUID: 7d1b0000-b7f7-4fda-8479-b5cb70a01030 instanceType: 4 # unicodePwd::: REDACTED SECRET ATTRIBUTE # supplementalCredentials::: REDACTED SECRET ATTRIBUTE Fri Oct 4 12:29:52 2019: pid[985]: # Passwords[0] 7d1b0000-b7f7-4fda- 8479-b5cb70a01030 S-1-5-21-1608159440-4144762864-1017073214-15729 # attrs=['dn', 'mail', 'objectGUID', 'objectSid', 'proxyAddresses', 'pwdLastSet',...
2016 Aug 24
8
We need to change our AD domain
Hi All, As a result of a company restructure and name change we need to change our AD domain. I know that we can't change the AD domain name in Samba 4, so I'm looking at the smoothest way to migrate everything from one domain to another. Is there any (properly working) way we can export users, groups and policies from one domain and import them into another? I've spent a few