Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Luc, Very helpful... I'm doing a migration from a very non-standard samba ldap implementation that we can't just migrate. We would like to save the users' passwords though. I'm testing using known password hashes and I'm having trouble authenticating after I change the passwords. How can I extract what is being inserted in to samba4 in order to verify that I'm doing things correctly? Thanks! Bo - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: samba@lists.samba.org Cc: Andrew Bartlett abart...@samba.org Sent: Tuesday, April 9, 2013 11:25:47 AM Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Ok this works: #!/usr/bin/env python import sys sys.path.insert(0, /usr/local/samba/lib64/python2.6/site-packages) sys.path.insert(1, /usr/local/samba/lib/python2.6/site-packages) from samba import Ldb, registry from samba.param import LoadParm from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl from samba.samba3 import passdb from samba.samba3 import param as s3param from samba.dcerpc import lsa, samr, security from samba.dcerpc.security import dom_sid from samba.credentials import Credentials from samba import dsdb from samba.ndr import ndr_pack from samba import unix2nttime # Convert Hex to Byte string def HexToByte( hexStr ): bytes = [] hexStr = ''.join( hexStr.split( ) ) for i in range(0, len(hexStr), 2): bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) return ''.join( bytes ) # Connect to samba4 backend new_lp_ctx = s3param.get_context() new_lp_ctx.load(/usr/local/samba/etc/smb.conf) new_lp_ctx.set(private dir, /usr/local/samba/private) s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) # Change testuser password new_userdata = s4_passdb.getsampwnam(testuser) new_userdata.nt_passwd = HexToByte(878D8014606CDA29677A44EFA1353FC7) new_userdata.lanman_passwd = HexToByte(552902031BEDE9EFAAD3B435B51404EE) s4_passdb.update_sam_account(new_userdata) I was missing some module paths and the extra info for connecting to the LDB database... Now I just have to generalize this procedure so that I can update the passwords every night like I do with Samba3-LDAP. Andrew, thanks for the pointers. I'm posting this in case it can help someone else. - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: Andrew Bartlett abart...@samba.org Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 7:38:05 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Hello Andrew, How would I convert the below base16 strings into raw bytes acceptable to this routine? We presently inject the NTLM passwords directly into our LDAP database for Samba3. Also, I can't seem to figure out the argument values for 'passdb.PDB'. I tried 'ldb', 'samba_dsdb'. Thanks for your help! On 2013-03-27, at 6:18 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Duh... got it, nvm... new_userdata = s4_passdb.getsampwnam(jtest) print binascii.hexlify(new_userdata.nt_passwd) And my troubleshooting was required by a typo that I made.. argh! - Original Message - From: Bo Kersey b...@vircio.com To: Luc Lalonde luc.lalo...@polymtl.ca Cc: samba@lists.samba.org, Andrew Bartlett abart...@samba.org Sent: Tuesday, August 13, 2013 11:03:40 AM Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Luc, Very helpful... I'm doing a migration from a very non-standard samba ldap implementation that we can't just migrate. We would like to save the users' passwords though. I'm testing using known password hashes and I'm having trouble authenticating after I change the passwords. How can I extract what is being inserted in to samba4 in order to verify that I'm doing things correctly? Thanks! Bo - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: samba@lists.samba.org Cc: Andrew Bartlett abart...@samba.org Sent: Tuesday, April 9, 2013 11:25:47 AM Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Ok this works: #!/usr/bin/env python import sys sys.path.insert(0, /usr/local/samba/lib64/python2.6/site-packages) sys.path.insert(1, /usr/local/samba/lib/python2.6/site-packages) from samba import Ldb, registry from samba.param import LoadParm from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl from samba.samba3 import passdb from samba.samba3 import param as s3param from samba.dcerpc import lsa, samr, security from samba.dcerpc.security import dom_sid from samba.credentials import Credentials from samba import dsdb from samba.ndr import ndr_pack from samba import unix2nttime # Convert Hex to Byte string def HexToByte( hexStr ): bytes = [] hexStr = ''.join( hexStr.split( ) ) for i in range(0, len(hexStr), 2): bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) return ''.join( bytes ) # Connect to samba4 backend new_lp_ctx = s3param.get_context() new_lp_ctx.load(/usr/local/samba/etc/smb.conf) new_lp_ctx.set(private dir, /usr/local/samba/private) s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) # Change testuser password new_userdata = s4_passdb.getsampwnam(testuser) new_userdata.nt_passwd = HexToByte(878D8014606CDA29677A44EFA1353FC7) new_userdata.lanman_passwd = HexToByte(552902031BEDE9EFAAD3B435B51404EE) s4_passdb.update_sam_account(new_userdata) I was missing some module paths and the extra info for connecting to the LDB database... Now I just have to generalize this procedure so that I can update the passwords every night like I do with Samba3-LDAP. Andrew, thanks for the pointers. I'm posting this in case it can help someone else. - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: Andrew Bartlett abart...@samba.org Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 7:38:05 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Hello Andrew, How would I convert the below base16 strings into raw bytes acceptable to this routine? We presently inject the NTLM passwords directly into our LDAP database for Samba3. Also, I can't seem to figure out the argument values for 'passdb.PDB'. I tried 'ldb', 'samba_dsdb'. Thanks for your help! On 2013-03-27, at 6:18 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Ok this works: #!/usr/bin/env python import sys sys.path.insert(0, /usr/local/samba/lib64/python2.6/site-packages) sys.path.insert(1, /usr/local/samba/lib/python2.6/site-packages) from samba import Ldb, registry from samba.param import LoadParm from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl from samba.samba3 import passdb from samba.samba3 import param as s3param from samba.dcerpc import lsa, samr, security from samba.dcerpc.security import dom_sid from samba.credentials import Credentials from samba import dsdb from samba.ndr import ndr_pack from samba import unix2nttime # Convert Hex to Byte string def HexToByte( hexStr ): bytes = [] hexStr = ''.join( hexStr.split( ) ) for i in range(0, len(hexStr), 2): bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) return ''.join( bytes ) # Connect to samba4 backend new_lp_ctx = s3param.get_context() new_lp_ctx.load(/usr/local/samba/etc/smb.conf) new_lp_ctx.set(private dir, /usr/local/samba/private) s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) # Change testuser password new_userdata = s4_passdb.getsampwnam(testuser) new_userdata.nt_passwd = HexToByte(878D8014606CDA29677A44EFA1353FC7) new_userdata.lanman_passwd = HexToByte(552902031BEDE9EFAAD3B435B51404EE) s4_passdb.update_sam_account(new_userdata) I was missing some module paths and the extra info for connecting to the LDB database... Now I just have to generalize this procedure so that I can update the passwords every night like I do with Samba3-LDAP. Andrew, thanks for the pointers. I'm posting this in case it can help someone else. - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: Andrew Bartlett abart...@samba.org Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 7:38:05 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Hello Andrew, How would I convert the below base16 strings into raw bytes acceptable to this routine? We presently inject the NTLM passwords directly into our LDAP database for Samba3. Also, I can't seem to figure out the argument values for 'passdb.PDB'. I tried 'ldb', 'samba_dsdb'. Thanks for your help! On 2013-03-27, at 6:18 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Hello Andrew, Would this work: ### def HexToByte( hexStr ): ## ## Taken from ActiveState Code recipes: ## http://code.activestate.com/recipes/510399-byte-to-hex-and-hex-to-byte-string-conversion bytes = [] hexStr = ''.join( hexStr.split( ) ) for i in range(0, len(hexStr), 2): bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) return ''.join( bytes ) # Connect to samba4 backend s4_passdb = passdb.PDB(samba4) # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = HextoByte(878D8014606CDA29677A44EFA1353FC7) admin_userdata.lanman_passwd = HextoByte(552902031BEDE9EFAAD3B435B51404EE) s4_passdb.update_sam_account(admin_userdata) ### I'm trying to figure out how to connect to the local Samba4 database... What I have above 's4_passdb = passdb.PDB(samba4)' doesn't work. I tried 'ldb', 'samba_dsdb', and 'samba4' without success. Any hints please? Thanks! - Original Message - From: Andrew Bartlett abart...@samba.org To: Luc Lalonde luc.lalo...@polymtl.ca Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 6:18:15 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Hello Andrew, How would I convert the below base16 strings into raw bytes acceptable to this routine? We presently inject the NTLM passwords directly into our LDAP database for Samba3. Also, I can't seem to figure out the argument values for 'passdb.PDB'. I tried 'ldb', 'samba_dsdb'. Thanks for your help! On 2013-03-27, at 6:18 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Is that right? Cheers. -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - - Original Message - From: Andrew Bartlett abart...@samba.org To: Luc Lalonde luc.lalo...@polymtl.ca Cc: samba@lists.samba.org Sent: Tuesday, December 11, 2012 10:22:21 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection On Tue, 2012-12-11 at 21:48 -0500, Luc Lalonde wrote: Hello Folks, In pour present Samba-3 setup we update user passwords in our LDAP backend. We only have access to the encrypted NTLM passwords and use Perl scripts to do this. Beyond importing the user database with the 'Classic upgrade' method, will we be able to adapt our Perl scripts so that we can keep updating the internal Samba-4 database with the encrypted passwords as we did with Samba-3? We've been using Samba for many years now and very much appreciate all the work done by the Samba team. Congrats on getting Samba-4 to stable status! Yes, you can continue to do that. The best approach would be to set it via the ldb python bindings, specifying the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control and unicodePwd, or via the python or C passdb API. One approach you could code from is how we set the administrator password during the 'classicupgrade' script in source4/scripting/python/samba/upgrade.py. Give that a go, but if you need more clues I'm very happy to help out. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 LDAP NTLM password nightly injection
Hello Folks, In pour present Samba-3 setup we update user passwords in our LDAP backend. We only have access to the encrypted NTLM passwords and use Perl scripts to do this. Beyond importing the user database with the 'Classic upgrade' method, will we be able to adapt our Perl scripts so that we can keep updating the internal Samba-4 database with the encrypted passwords as we did with Samba-3? We've been using Samba for many years now and very much appreciate all the work done by the Samba team. Congrats on getting Samba-4 to stable status! Thank You! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
On Tue, 2012-12-11 at 21:48 -0500, Luc Lalonde wrote: Hello Folks, In pour present Samba-3 setup we update user passwords in our LDAP backend. We only have access to the encrypted NTLM passwords and use Perl scripts to do this. Beyond importing the user database with the 'Classic upgrade' method, will we be able to adapt our Perl scripts so that we can keep updating the internal Samba-4 database with the encrypted passwords as we did with Samba-3? We've been using Samba for many years now and very much appreciate all the work done by the Samba team. Congrats on getting Samba-4 to stable status! Yes, you can continue to do that. The best approach would be to set it via the ldb python bindings, specifying the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control and unicodePwd, or via the python or C passdb API. One approach you could code from is how we set the administrator password during the 'classicupgrade' script in source4/scripting/python/samba/upgrade.py. Give that a go, but if you need more clues I'm very happy to help out. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba