syncpassword and (strange) base64...

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

syncpassword and (strange) base64...

Samba - General mailing list

I've setup in my domain the 'samba-tool user syncpasswords' to catch
password changes, to propagate correctly to some legacy system.

I've done some tests, but today i've found the ''daemon'' is not
running. After fiddling a bit, i've found the culprit came from the
fact that a user have a base64 version of the password as:

        flhibllHV2tPVFMyIXIjcGpnWUE/cmV1Q3hjLm5BQUQycX5EdyR1NGh

[ i make a noke: this probably it is not a real password, but came from
  a 'samba-tool user setpassword --random-password' ]

some online base64 decoder decodes it as:

        ~XbnYGWkOTS2!r#pjgYA?reuCxc.nAAD2q~Dw$u4h

but if i try to decode with a local tool, i get:

 root@vdcsv1:~# echo "flhibllHV2tPVFMyIXIjcGpnWUE/cmV1Q3hjLm5BQUQycX5EdyR1NGh" | LANG=C base64 --decode
 ~XbnYGWkOTS2!r#pjgYA?reuCxc.nAAD2q~Dw$u4hbase64: invalid input
 root@vdcsv1:~# echo "flhibllHV2tPVFMyIXIjcGpnWUE/cmV1Q3hjLm5BQUQycX5EdyR1NGh" | LANG=C openssl base64 -d
 root@vdcsv1:~# echo "flhibllHV2tPVFMyIXIjcGpnWUE/cmV1Q3hjLm5BQUQycX5EdyR1NGh" | LANG=C python -m base64 -d
 Traceback (most recent call last):
   File "/usr/lib/python2.7/runpy.py", line 162, in _run_module_as_main
     "__main__", fname, loader, pkg_name)
   File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
     exec code in run_globals
   File "/usr/lib/python2.7/base64.py", line 360, in <module>
     test()
   File "/usr/lib/python2.7/base64.py", line 349, in test
     func(sys.stdin, sys.stdout)
   File "/usr/lib/python2.7/base64.py", line 306, in decode
     s = binascii.a2b_base64(line)
 binascii.Error: Incorrect padding
 root@vdcsv1:~# echo "flhibllHV2tPVFMyIXIjcGpnWUE/cmV1Q3hjLm5BQUQycX5EdyR1NGh" | LANG=C perl -MMIME::Base64 -ne 'printf "%s\n",decode_base64($_)'
 ~XbnYGWkOTS2!r#pjgYA?reuCxc.nAAD2q~Dw$u4h

so:

a) 'base64' decode it, but bump an error

b) openssl does nothing

c) python bump an error

d) perl decode it


Seems a bit strange to me...

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: syncpassword and (strange) base64...

Samba - General mailing list

> Seems a bit strange to me...

Seems a bug to me, so i've fired up:

        https://bugzilla.samba.org/show_bug.cgi?id=13114


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: syncpassword and (strange) base64...

Samba - General mailing list
On Tue, 31 Oct 2017 18:19:39 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

>
> > Seems a bit strange to me...
>
> Seems a bug to me, so i've fired up:
>
> https://bugzilla.samba.org/show_bug.cgi?id=13114
>
>
> Thanks.
>

I normally only use 'samba-tool user setpassword --random-password'
when I create a user that will never log in and then use kerberos with
a program e.g. squid. I usually also set the password to never expire.

So, the question has to be, just what do you need to sync the passwords
to ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: syncpassword and (strange) base64...

Samba - General mailing list
Mandi! Rowland Penny via samba
  In chel di` si favelave...

> I normally only use 'samba-tool user setpassword --random-password'
> when I create a user that will never log in and then use kerberos with
> a program e.g. squid. I usually also set the password to never expire.

Silimar user case. I need to create accounts by scripts, where
passwords are set by other means (eg, another scripts).
Practically, i'm ''syncing'' my old NT domains with my new AD one.


> So, the question has to be, just what do you need to sync the passwords
> to ?

Really i don't need that. But 'samba-tool user setpassword --random-password'
passwords get processed by 'syncpasswords', as ''normal'' ones.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: syncpassword and (strange) base64...

Samba - General mailing list
On Tue, 2017-10-31 at 19:05 +0100, Marco Gaiarin via samba wrote:

>
> > So, the question has to be, just what do you need to sync the passwords
> > to ?
>
> Really i don't need that. But 'samba-tool user setpassword --random-password'
> passwords get processed by 'syncpasswords', as ''normal'' ones.

Either way, if we can't handle long passwords we need to fix that.

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: syncpassword and (strange) base64...

Samba - General mailing list
Mandi! Andrew Bartlett via samba
  In chel di` si favelave...

> Either way, if we can't handle long passwords we need to fix that.

Ahem, i've noted that syncpasswords emit a LDIF-like format, but never
minded about the long lines...

In my script i've added a sed call to unwrap long lines, and base64 is
correct now.


Sorry.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba