retrieve machine password in current Samba?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

retrieve machine password in current Samba?

Samba - General mailing list
We have a wireless network that uses 802.1x authentication, in which domain joined computers use their machine credentials to connect.


Windows machines do this automatically, and until recently Linux computers could join using wicd, wpa-supplicant, and a simple script that would retrieve the machine password with tdbdump.


( specifically tdbdump -k SECRETS/MACHINE_PASSWORD/DOMAIN /var/lib/samba/private/secrets.tdb )


On older machines running Samba 4.2 (Debian Jessie) tdbdump gives a working password such as this:


]f2>lOR4NA~hbv\00  where the actual password is  ]f2>lOR4NA~hbv


On newer machines running Samba 4.5 (Debian Stretch) tdbdump gives an encrypted password such as this:


\EE\A9\8D\EF\AD\AC\E2\A1\9D\E2\A0\8C\E3\96\8E\E7\B0\A8\EE\97\AA\E2\8E\9F\E2\A2\8F\EB\85\BF\EE\B7\8B\EA\A7\A9\EA\97\B8\D2\86\E6\83\AB\EE\82\AA\E3\A9\BB\E3\8A\8D\E2\86\9B\E2\8C\92\E6\8C\A6\EA\85\A5\E6\8F\82\EF\96\94\EF\9C\82\E7\8D\B3\E7\8F\93\E7\B8\AA\E7\A7\B7\EE\88\96\E2\A3\9B\EB\AA\B0\E6\B6\A7\EF\B6\B7\EA\A2\AD\EF\A8\88\EA\BB\B6\EE\A4\9A\E3\99\A6\EE\93\96\E2\BD\84\EB\95\93\E3\87\A2\E2\9D\98\EE\BE\8A\E6\8F\A2\EF\AE\91\EB\B5\AA\E7\A5\AF\E7\A4\A6\CD\A5\EF\80\9A\E3\AC\A9\E6\95\9E\E3\A9\BE\EE\94\82\EA\BF\94\E2\B7\8E\E2\94\96\EF\9B\BB\EA\A4\BB\E2\8B\9A\E6\B7\9C\E6\97\B7\E3\8C\BF\E3\98\9A\EA\88\89\E3\94\91\E7\88\83\E7\95\A3\EE\B6\93\EB\A2\9F\E3\94\85\EF\97\8E\E3\BE\8B\EB\BF\8A\E7\BB\8D\E7\A5\95\EB\89\83\E3\8F\A7\EA\8B\9C\EA\BA\BD\E3\BA\B5\E2\B7\BC\E7\B4\8A\EA\83\97\EB\89\8B\EE\9B\91\E2\BA\9D\EE\AC\B4\E3\A5\84\EE\A0\A1\EE\B0\A7\EF\90\AC\EF\8F\8C\E3\AB\A5\E6\96\81\E7\A6\83\EA\80\BB\E2\B9\8B\E6\B2\9F\EF\91\8E\C7\AA\E7\AB\B0\EB\A6\B7\E7\BB\B4\E6\AA\87\E2\B1\94\E2\A2\90\E7\93\BC\EE\AD\AF\E7\89\A1\E6\BA\BC\EB\85\92\EA\A2\97\EF\82\9B\E3\A4\B8\EF\AE\9B\EE\86\9B\EB\82\80\EB\99\9C\E2\A5\AB\EB\A7\8E\EA\89\89\EA\8E\B6\E3\A7\95\E7\B5\A0\E7\BF\B9>\EB\AC\8A\E3\8E\A4\E7\90\98\EA\92\B0\EF\8C\9A\E3\B4\BE\EE\8A\A5\E6\87\B0\E7\BE\90\EF\8F\95\EE\92\88\EB\88\88\E3\B2\BB\E6\97\B7\E3\98\A8\EB\A3\BD\EF\83\AA\EE\B6\B4\E2\A3\B6\E6\8C\8C\EB\83\BD\EF\A1\A8\EB\8A\A7\E3\89\92\E2\86\93\EA\BD\84\E6\83\A4\E2\B8\B5\EA\9A\A2\EB\8B\BE\EE\B5\B5\EB\9D\A3\EF\82\AF\E6\B2\A8\E3\AB\BB\EE\A6\8A\E6\A5\81\E6\A8\B3\D0\97\E6\82\8D\EE\B7\B6\EB\87\9E\EA\AE\BF\EE\A8\8D\EB\9F\8C\EA\A8\AD\EF\B8\9E\EE\BC\85\E6\AD\A1\E7\92\9D\E3\AC\9F\D9\BD\E6\BB\B1\EA\AE\AD\E3\BC\AB\CF\92\E2\8A\8D\E6\AE\8C\00


This second "password" isn't usable by wicd.


The Samba wiki still refers to getting the current machine password from secrets.tdb:  https://wiki.samba.org/index.php/Keytab_Extraction  That wiki link is about generating keytabs but the process used to retrieve the password is just like the one I was using.


Is there a currently supported method for retrieving the machine password in a form that's usable by external scripts such as wicd?


Thanks!


James




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: retrieve machine password in current Samba?

Samba - General mailing list
On Fri, Aug 25, 2017 at 10:06:59PM +0000, James Zuelow via samba wrote:

> We have a wireless network that uses 802.1x authentication, in which domain joined computers use their machine credentials to connect.
>
>
> Windows machines do this automatically, and until recently Linux computers could join using wicd, wpa-supplicant, and a simple script that would retrieve the machine password with tdbdump.
>
>
> ( specifically tdbdump -k SECRETS/MACHINE_PASSWORD/DOMAIN /var/lib/samba/private/secrets.tdb )
>
>
> On older machines running Samba 4.2 (Debian Jessie) tdbdump gives a working password such as this:
>
>
> ]f2>lOR4NA~hbv\00  where the actual password is  ]f2>lOR4NA~hbv
>
>
> On newer machines running Samba 4.5 (Debian Stretch) tdbdump gives an encrypted password such as this:
>
>
> \EE\A9\8D\EF\AD\AC\E2\A1\9D\E2\A0\8C\E3\96\8E\E7\B0\A8\EE\97\AA\E2\8E\9F\E2\A2\8F\EB\85\BF\EE\B7\8B\EA\A7\A9\EA\97\B8\D2\86\E6\83\AB\EE\82\AA\E3\A9\BB\E3\8A\8D\E2\86\9B\E2\8C\92\E6\8C\A6\EA\85\A5\E6\8F\82\EF\96\94\EF\9C\82\E7\8D\B3\E7\8F\93\E7\B8\AA\E7\A7\B7\EE\88\96\E2\A3\9B\EB\AA\B0\E6\B6\A7\EF\B6\B7\EA\A2\AD\EF\A8\88\EA\BB\B6\EE\A4\9A\E3\99\A6\EE\93\96\E2\BD\84\EB\95\93\E3\87\A2\E2\9D\98\EE\BE\8A\E6\8F\A2\EF\AE\91\EB\B5\AA\E7\A5\AF\E7\A4\A6\CD\A5\EF\80\9A\E3\AC\A9\E6\95\9E\E3\A9\BE\EE\94\82\EA\BF\94\E2\B7\8E\E2\94\96\EF\9B\BB\EA\A4\BB\E2\8B\9A\E6\B7\9C\E6\97\B7\E3\8C\BF\E3\98\9A\EA\88\89\E3\94\91\E7\88\83\E7\95\A3\EE\B6\93\EB\A2\9F\E3\94\85\EF\97\8E\E3\BE\8B\EB\BF\8A\E7\BB\8D\E7\A5\95\EB\89\83\E3\8F\A7\EA\8B\9C\EA\BA\BD\E3\BA\B5\E2\B7\BC\E7\B4\8A\EA\83\97\EB\89\8B\EE\9B\91\E2\BA\9D\EE\AC\B4\E3\A5\84\EE\A0\A1\EE\B0\A7\EF\90\AC\EF\8F\8C\E3\AB\A5\E6\96\81\E7\A6\83\EA\80\BB\E2\B9\8B\E6\B2\9F\EF\91\8E\C7\AA\E7\AB\B0\EB\A6\B7\E7\BB\B4\E6\AA\87\E2\B1\94\E2\A2\90\E7\93\BC\EE\AD\AF\E7\89\A1\E6\BA\BC\EB\85\92\EA\A2\97\EF\82\9B\E3\A4\B8\EF\AE\9B\EE\86\9B\EB\82\80\EB\99\9C\E2\A5\AB\EB\A7\8E\EA\89\89\EA\8E\B6\E3\A7\95\E7\B5\A0\E7\BF\B9>\EB\AC\8A\E3\8E\A4\E7\90\98\EA\92\B0\EF\8C\9A\E3\B4\BE\EE\8A\A5\E6\87\B0\E7\BE\90\EF\8F\95\EE\92\88\EB\88\88\E3\B2\BB\E6\97\B7\E3\98\A8\EB\A3\BD\EF\83\AA\EE\B6\B4\E2\A3\B6\E6\8C\8C\EB\83\BD\EF\A1\A8\EB\8A\A7\E3\89\92\E2\86\93\EA\BD\84\E6\83\A4\E2\B8\B5\EA\9A\A2\EB\8B\BE\EE\B5\B5\EB\9D\A3\EF\82\AF\E6\B2\A8\E3\AB\BB\EE\A6\8A\E6\A5\81\E6\A8\B3\D0\97\E6\82\8D\EE\B7\B6\EB\87\9E\EA\AE\BF\EE\A8\8D\EB\9F\8C\EA\A8\AD\EF\B8\9E\EE\BC\85\E6\AD\A1\E7\92\9D\E3\AC\9F\D9\BD\E6\BB\B1\EA\AE\AD\E3\BC\AB\CF\92\E2\8A\8D\E6\AE\8C\00
>
>
> This second "password" isn't usable by wicd.
>
>
> The Samba wiki still refers to getting the current machine password from secrets.tdb:  https://wiki.samba.org/index.php/Keytab_Extraction  That wiki link is about generating keytabs but the process used to retrieve the password is just like the one I was using.
>
>
> Is there a currently supported method for retrieving the machine password in a form that's usable by external scripts such as wicd?

Looking at the code I think it's now returning the plaintext password,
whereas previously it only stored the password hash. You'll have to hash
to make it useful by wicd it seems (I'm guessing wicd expects the hash,
not the plaintext).

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: retrieve machine password in current Samba?

Samba - General mailing list


> -----Original Message-----
> From: Jeremy Allison [mailto:[hidden email]]
> Sent: Friday, August 25, 2017 3:48 PM


> Looking at the code I think it's now returning the plaintext password, whereas
> previously it only stored the password hash. You'll have to hash to make it
> useful by wicd it seems (I'm guessing wicd expects the hash, not the plaintext).

OK.

I guess I had that backwards.  I thought that the new version (\EE\A9\8D\EF\AD\AC...) was giving me an encrypted (or hashed I guess) value, and the old version ( ]f2>lOR4NA~hbv ) was the plaintext password.

I'll see if I can't translate that over somehow.  

Thank you!

James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: retrieve machine password in current Samba?

Samba - General mailing list
On Sat, 2017-08-26 at 01:02 +0000, James Zuelow via samba wrote:

> > -----Original Message-----
> > From: Jeremy Allison [mailto:[hidden email]]
> > Sent: Friday, August 25, 2017 3:48 PM
>
>
> > Looking at the code I think it's now returning the plaintext password, whereas
> > previously it only stored the password hash. You'll have to hash to make it
> > useful by wicd it seems (I'm guessing wicd expects the hash, not the plaintext).
>
> OK.
>
> I guess I had that backwards.  I thought that the new version (\EE\A9\8D\EF\AD\AC...) was giving me an encrypted (or hashed I guess) value, and the old version ( ]f2>lOR4NA~hbv ) was the plaintext password.
>
> I'll see if I can't translate that over somehow.  

The recent secrets changes to store the krb5 hashes changed some things
to use a IDL defined NDR packed structure.  I've not checked the
details, but that might be what you are seeing.

This is a very valid use case, we clearly do need a net sub-command to
just print it.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: retrieve machine password in current Samba?

Samba - General mailing list


> -----Original Message-----
> From: Andrew Bartlett [mailto:[hidden email]]
> Sent: Saturday, August 26, 2017 12:38 PM
> To: James Zuelow; [hidden email]
> Subject: Re: [Samba] retrieve machine password in current Samba?

-- >8 -- snip -- 8< --
>
> The recent secrets changes to store the krb5 hashes changed some things to
> use a IDL defined NDR packed structure.  I've not checked the details, but that
> might be what you are seeing.
>
> This is a very valid use case, we clearly do need a net sub-command to just
> print it.
>
> Andrew Bartlett

Andrew,

Would there be a way for me to translate that back somehow?  I'm thinking that even if a new net command came out, I would be waiting for Debian to release Buster before I saw it show up on my stable machines.

Thanks!


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: retrieve machine password in current Samba?

Samba - General mailing list
On Thu, 2017-09-07 at 22:02 +0000, James Zuelow via samba wrote:

> > -----Original Message-----
> > From: Andrew Bartlett [mailto:[hidden email]]
> > Sent: Saturday, August 26, 2017 12:38 PM
> > To: James Zuelow; [hidden email]
> > Subject: Re: [Samba] retrieve machine password in current Samba?
>
> -- >8 -- snip -- 8< --
> >
> > The recent secrets changes to store the krb5 hashes changed some
> > things to
> > use a IDL defined NDR packed structure.  I've not checked the
> > details, but that
> > might be what you are seeing.
> >
> > This is a very valid use case, we clearly do need a net sub-command
> > to just
> > print it.
> >
> > Andrew Bartlett
>
> Andrew,
>
> Would there be a way for me to translate that back somehow?  I'm
> thinking that even if a new net command came out, I would be waiting
> for Debian to release Buster before I saw it show up on my stable
> machines.

I've looked into this, and I don't think we have changed the format, it
is just that we stopped keeping to ascii and small lengths for the
passwords.  That flood of binary stuff is really the password!

So, the tdbdump output is still correct, but do you have to un-escape
it.

Otherwise, the attached script will print it on stdout, if you like it
and it works for you I can drop it in source4/scripting/bin for
posterity.

Sorry for the confusion!

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: retrieve machine password in current Samba?

Samba - General mailing list


> -----Original Message-----
> From: Andrew Bartlett [mailto:[hidden email]]
> Sent: Thursday, September 7, 2017 3:41 PM
> To: James Zuelow; [hidden email]
> Subject: Re: [Samba] retrieve machine password in current Samba?
 -- >8 -- snip -- 8< --
 

> I've looked into this, and I don't think we have changed the format, it is just that
> we stopped keeping to ascii and small lengths for the passwords.  That flood of
> binary stuff is really the password!
>
> So, the tdbdump output is still correct, but do you have to un-escape it.
>
> Otherwise, the attached script will print it on stdout, if you like it and it works
> for you I can drop it in source4/scripting/bin for posterity.
>
> Sorry for the confusion!
>
> Andrew Bartlett

The confusion was on my part - when I tried to look at the string after unescaping it I was getting a jumble of Unicode characters and not the ascii string I was used to.  I spent a lot of effort trying to get that back into the form that I saw in the past, not realizing I didn't have to.

But using your script and plugging that into wicd's wireless password works very well.

Essentially it boils down to:

Editing wicd's wireless-settings.conf:

identity = host/HOSTNAME.local.domain
beforescript = /usr/local/sbin/machine-passwd.sh

And then machine-passwd.sh is similar to:

password=`/usr/local/sbin/machineaccountpw`
wicd-cli -y -n (network-id)  --network-property password -s "${password}"

(I have a little logic in there to grab the network ID since it changes from time to time.)

Then when wicd connects, it presents the username of the machine account and the current machine password, whatever that may be.  I could probably work with your script to insert the password into wireless-settings.conf directly, but I’m too lazy to do that now that this is working.

Thank you very much!

James
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: retrieve machine password in current Samba?

Samba - General mailing list
On Fri, 2017-09-08 at 01:43 +0000, James Zuelow via samba wrote:

> > -----Original Message-----
> > From: Andrew Bartlett [mailto:[hidden email]]
> > Sent: Thursday, September 7, 2017 3:41 PM
> > To: James Zuelow; [hidden email]
> > Subject: Re: [Samba] retrieve machine password in current Samba?
>
>  -- >8 -- snip -- 8< --
>  
> > I've looked into this, and I don't think we have changed the
> > format, it is just that
> > we stopped keeping to ascii and small lengths for the
> > passwords.  That flood of
> > binary stuff is really the password!
> >
> > So, the tdbdump output is still correct, but do you have to un-
> > escape it.
> >
> > Otherwise, the attached script will print it on stdout, if you like
> > it and it works
> > for you I can drop it in source4/scripting/bin for posterity.
> >
> > Sorry for the confusion!
> >
> > Andrew Bartlett
>
> The confusion was on my part - when I tried to look at the string
> after unescaping it I was getting a jumble of Unicode characters and
> not the ascii string I was used to.  I spent a lot of effort trying
> to get that back into the form that I saw in the past, not realizing
> I didn't have to.

:-)

> But using your script and plugging that into wicd's wireless password
> works very well.
>
> Essentially it boils down to:
>
> Editing wicd's wireless-settings.conf:
>
> identity = host/HOSTNAME.local.domain
> beforescript = /usr/local/sbin/machine-passwd.sh
>
> And then machine-passwd.sh is similar to:
>
> password=`/usr/local/sbin/machineaccountpw`
> wicd-cli -y -n (network-id)  --network-property password -s
> "${password}"
>
> (I have a little logic in there to grab the network ID since it
> changes from time to time.)
>
> Then when wicd connects, it presents the username of the machine
> account and the current machine password, whatever that may be.  I
> could probably work with your script to insert the password into
> wireless-settings.conf directly, but I’m too lazy to do that now that
> this is working.

While I don't like it being on the command line, avoiding putting it in
a config file is also a good idea, as Samba will change the password
every week.

> Thank you very much!

I'm glad to have helped!

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: retrieve machine password in current Samba?

Samba - General mailing list
In reply to this post by Samba - General mailing list
08.09.2017 3:41, Andrew Bartlett via samba пишет:

> Otherwise, the attached script will print it on stdout, if you like it
> and it works for you I can drop it in source4/scripting/bin for
> posterity.

May I ask about machine passwords also?
(I can't see any attached scripts in your email, by the way. You send it
off-the-list?)

Someday in the past I accidentally delete some machine accounts from AD
(using ADUC). When I googled about what can I restore it, i found the
long story about "tombstone" and not/support it in samba, and many
troubles with "deleted" attributes and so on.

But it is another way to restore it - restore ldap object to "normal"
state without "deleted" attribute by hand and set machine password by
hand (it is lost after "delete" in ADUC).

Where I can find and how to extract that machine password?
Is there any sense to doing this?


--
Administrator

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba