Discussion:
[Samba] sambar4: user creation with ldap and initial password
(too old to reply)
Thomas Mueller
2012-11-01 12:50:02 UTC
Permalink
Raw Message
hi

trying to create a user with ldap from a remote server. The user is
created successfully. I'm failing setting the initial password.

Setting the unicodePwd with kerberos administrator credentials with
ldbmodify and the ldif below results in "00002035: setup_io: it's not
allowed to set the NT hash password directly".

searching the web I've found s4 mailinglist entries telling "do not set
unicodePwd with ldap". this KB article tells in AD it's possible to set
it: http://support.microsoft.com/kb/263991/en-us

Is there a supported method to supply the initial user password with s4
and ldap?

- Thomas

LDIF:
dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
changetype: modify
replace: unicodePwd
unicodePwd:: $IlRlc3QxMjMtLSIK
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2012-11-05 03:40:02 UTC
Permalink
Raw Message
Post by Thomas Mueller
hi
trying to create a user with ldap from a remote server. The user is
created successfully. I'm failing setting the initial password.
Setting the unicodePwd with kerberos administrator credentials with
ldbmodify and the ldif below results in "00002035: setup_io: it's not
allowed to set the NT hash password directly".
searching the web I've found s4 mailinglist entries telling "do not set
unicodePwd with ldap". this KB article tells in AD it's possible to set
it: http://support.microsoft.com/kb/263991/en-us
Is there a supported method to supply the initial user password with s4
and ldap?
- Thomas
dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
changetype: modify
replace: unicodePwd
unicodePwd:: $IlRlc3QxMjMtLSIK
To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
See however the userPassword, which is a normal, utf8 unquoted string
(ie, sane :-)

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2012-11-05 07:30:02 UTC
Permalink
Raw Message
Post by Andrew Bartlett
Post by Thomas Mueller
hi
trying to create a user with ldap from a remote server. The user is
created successfully. I'm failing setting the initial password.
Setting the unicodePwd with kerberos administrator credentials with
ldbmodify and the ldif below results in "00002035: setup_io: it's not
allowed to set the NT hash password directly".
searching the web I've found s4 mailinglist entries telling "do not set
unicodePwd with ldap". this KB article tells in AD it's possible to set
it: http://support.microsoft.com/kb/263991/en-us
Is there a supported method to supply the initial user password with s4
and ldap?
- Thomas
dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
changetype: modify
replace: unicodePwd
unicodePwd:: $IlRlc3QxMjMtLSIK
To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
echo \"PASSWORD\" | iconv -t UTF16LE | base64
Either way, the base64 string just doesn't look long enough for that.

This seems closer:
//4iAFQAZQBzAHQAMQAyADMALQAtACIA
Post by Andrew Bartlett
See however the userPassword, which is a normal, utf8 unquoted string
(ie, sane :-)
1) the userPassword attribute is plaintext readable with ldap afterwards
2) the kerberos password is not set ("kinit user" fails)
You may not have the userPassword feature enabled. It's odd that we let
it stick in ldap however - can you confirm exactly what AD does here, so
I can match it?

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Thomas Mueller
2012-11-05 08:50:02 UTC
Permalink
Raw Message
Post by Andrew Bartlett
Post by Andrew Bartlett
Post by Thomas Mueller
hi
trying to create a user with ldap from a remote server. The user is
created successfully. I'm failing setting the initial password.
Setting the unicodePwd with kerberos administrator credentials with
ldbmodify and the ldif below results in "00002035: setup_io: it's not
allowed to set the NT hash password directly".
searching the web I've found s4 mailinglist entries telling "do not set
unicodePwd with ldap". this KB article tells in AD it's possible to set
it: http://support.microsoft.com/kb/263991/en-us
Is there a supported method to supply the initial user password with s4
and ldap?
- Thomas
dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
changetype: modify
replace: unicodePwd
unicodePwd:: $IlRlc3QxMjMtLSIK
To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
echo \"PASSWORD\" | iconv -t UTF16LE | base64
Either way, the base64 string just doesn't look long enough for that.
//4iAFQAZQBzAHQAMQAyADMALQAtACIA
Post by Andrew Bartlett
See however the userPassword, which is a normal, utf8 unquoted string
(ie, sane :-)
1) the userPassword attribute is plaintext readable with ldap afterwards
2) the kerberos password is not set ("kinit user" fails)
You may not have the userPassword feature enabled. It's odd that we let
it stick in ldap however - can you confirm exactly what AD does here, so
I can match it?
I do not have a AD available today , i'll try tomorrow. i've found this
about the userPassword attribute on msdn:
http://msdn.microsoft.com/en-us/library/cc223249(prot.20).aspx
<http://msdn.microsoft.com/en-us/library/cc223249%28prot.20%29.aspx>

searching the sourcecode about userPassword i've found this comment in
password_hash.c:

* Notice: unlike the real AD which only supports the UTF16 special based
* 'unicodePwd' and the UTF8 based 'userPassword' plaintext attribute we
* understand also a UTF16 based 'clearTextPassword' one.
* The latter is also accessible through LDAP so it can also be set by
external
* tools and scripts. But be aware that this isn't portable on non
SAMBA 4 ADs!

"The latter is also accessible through LDAP" implies that unicodePwd and
userPassword aren't.

- Thomas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Michael Wood
2012-11-05 11:00:02 UTC
Permalink
Raw Message
Post by Andrew Bartlett
Post by Andrew Bartlett
Post by Thomas Mueller
hi
trying to create a user with ldap from a remote server. The user is
created successfully. I'm failing setting the initial password.
Setting the unicodePwd with kerberos administrator credentials with
ldbmodify and the ldif below results in "00002035: setup_io: it's not
allowed to set the NT hash password directly".
searching the web I've found s4 mailinglist entries telling "do not set
unicodePwd with ldap". this KB article tells in AD it's possible to set
it: http://support.microsoft.com/kb/263991/en-us
Is there a supported method to supply the initial user password with s4
and ldap?
- Thomas
dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
changetype: modify
replace: unicodePwd
unicodePwd:: $IlRlc3QxMjMtLSIK
To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
echo \"PASSWORD\" | iconv -t UTF16LE | base64
I get "IgBQAEEAUwBTAFcATwBSAEQAIgAKAA==" from the above, which seems
OK to me, except that it has an extra "\n" on the end before encoding.

This works better:

$ echo -n \"PASSWORD\" | iconv -t UTF16LE | base64
IgBQAEEAUwBTAFcATwBSAEQAIgA=
Post by Andrew Bartlett
Post by Andrew Bartlett
'"PASSWORD"'.encode("utf-16le").encode("base64")
'IgBQAEEAUwBTAFcATwBSAEQAIgA=\n'
Post by Andrew Bartlett
Either way, the base64 string just doesn't look long enough for that.
//4iAFQAZQBzAHQAMQAyADMALQAtACIA
Post by Andrew Bartlett
"//4iAFQAZQBzAHQAMQAyADMALQAtACIA".decode("base64").decode("utf-16le")
u'\ufeff"Test123--"'
Post by Andrew Bartlett
Post by Andrew Bartlett
See however the userPassword, which is a normal, utf8 unquoted string
(ie, sane :-)
1) the userPassword attribute is plaintext readable with ldap afterwards
2) the kerberos password is not set ("kinit user" fails)
You may not have the userPassword feature enabled. It's odd that we let
it stick in ldap however - can you confirm exactly what AD does here, so
I can match it?
--
Michael Wood <***@gmail.com>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2012-11-12 01:20:01 UTC
Permalink
Raw Message
Post by Michael Wood
Post by Andrew Bartlett
Post by Andrew Bartlett
Post by Thomas Mueller
hi
trying to create a user with ldap from a remote server. The user is
created successfully. I'm failing setting the initial password.
Setting the unicodePwd with kerberos administrator credentials with
ldbmodify and the ldif below results in "00002035: setup_io: it's not
allowed to set the NT hash password directly".
searching the web I've found s4 mailinglist entries telling "do not set
unicodePwd with ldap". this KB article tells in AD it's possible to set
it: http://support.microsoft.com/kb/263991/en-us
Is there a supported method to supply the initial user password with s4
and ldap?
- Thomas
dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
changetype: modify
replace: unicodePwd
unicodePwd:: $IlRlc3QxMjMtLSIK
To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
echo \"PASSWORD\" | iconv -t UTF16LE | base64
I get "IgBQAEEAUwBTAFcATwBSAEQAIgAKAA==" from the above, which seems
OK to me, except that it has an extra "\n" on the end before encoding.
$ echo -n \"PASSWORD\" | iconv -t UTF16LE | base64
IgBQAEEAUwBTAFcATwBSAEQAIgA=
Post by Andrew Bartlett
Post by Andrew Bartlett
'"PASSWORD"'.encode("utf-16le").encode("base64")
'IgBQAEEAUwBTAFcATwBSAEQAIgA=\n'
Post by Andrew Bartlett
Either way, the base64 string just doesn't look long enough for that.
//4iAFQAZQBzAHQAMQAyADMALQAtACIA
I'm certainly not sure. :-)
Post by Michael Wood
Post by Andrew Bartlett
Post by Andrew Bartlett
"//4iAFQAZQBzAHQAMQAyADMALQAtACIA".decode("base64").decode("utf-16le")
u'\ufeff"Test123--"'
Post by Andrew Bartlett
Post by Andrew Bartlett
See however the userPassword, which is a normal, utf8 unquoted string
(ie, sane :-)
1) the userPassword attribute is plaintext readable with ldap afterwards
2) the kerberos password is not set ("kinit user" fails)
You may not have the userPassword feature enabled. It's odd that we let
it stick in ldap however - can you confirm exactly what AD does here, so
I can match it?
This certainly is easier when userPassword support is enabled.

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Thomas Mueller
2012-11-05 12:40:02 UTC
Permalink
Raw Message
Post by Andrew Bartlett
Post by Thomas Mueller
hi
trying to create a user with ldap from a remote server. The user is
created successfully. I'm failing setting the initial password.
Setting the unicodePwd with kerberos administrator credentials with
ldbmodify and the ldif below results in "00002035: setup_io: it's not
allowed to set the NT hash password directly".
searching the web I've found s4 mailinglist entries telling "do not set
unicodePwd with ldap". this KB article tells in AD it's possible to set
it: http://support.microsoft.com/kb/263991/en-us
Is there a supported method to supply the initial user password with s4
and ldap?
- Thomas
dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
changetype: modify
replace: unicodePwd
unicodePwd:: $IlRlc3QxMjMtLSIK
To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
i was using the following command to address this utf16-le requirement:

echo \"PASSWORD\" | iconv -t UTF16LE | base64
Post by Andrew Bartlett
See however the userPassword, which is a normal, utf8 unquoted string
(ie, sane :-)
Just tried it. Problems:

1) the userPassword attribute is plaintext readable with ldap afterwards
2) the kerberos password is not set ("kinit user" fails)

- Thomas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...