Samba: change a Windows user’s hashed password. And then change it back.

Posted by Timothy O'Connell in General on May 21, 2009
1 Comment

File this one under "hacks". Cross-list it under "more basic administrative tasks you can't do on Windows".

Here's the situation: you're the admin of a Windows domain where the Domain Controller is a Linux box serving Samba. Your problem, other than the fact that you're surrounded by Windows users, is that you've got a user who's password you don't know and, for whatever reason, you need to log onto your Windows domain as that user: a simple RUNAS won't cut it this time.

Normally, you'd just nuke his password, change it to "password" (or whatever), log on as him, do your dirty, sinful business, log off, expire his password and then send him an email telling him that his password has been changed to "password" and that he'll be prompted to change it at his next log on.

But what if that wasn't an option? What if you needed to log on to your domain as that user and it was important that he be none the wiser?

Grab the Hashes

First, use your favorite smbldap-type tool to get the current password info on the user you're fixin' to use: 

frances:~# smbldap-usershow toconnell
dn: uid=toconnell,ou=Users,dc=domain,dc=com
objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: toconnell
sn: toconnell
givenName: toconnell
uid: toconnell
uidNumber: 1007
[...]
sambaPwdCanChange: 1202398556
sambaPwdMustChange: 9223372036854775807
sambaLMPassword: BE41CD009FF0812C718CCFD7D98A52AA
sambaNTPassword: 9454453CBC8A48DEF442F6B0A10B3EAA
sambaPwdLastSet: 1202398556
userPassword: {SSHA}baSDvXS6C6DSBNkJGyEYplprZ3wslAa/

Copy everything that's bolded and stick it somewhere safe. That dn information is going to be necessary later on, as it contains the ldap tags that you'll need to specify the record you want to modify; those hashes at the bottom are the user's original passwords and, when you want to cover your tracks later on, you'll need that info.

Now that you've got those hashes, you're free to nuke the user's password (again, using your favorite smbldap-type-tool or however else you like to reset passwords), log in as him, do whatever you have to do, and then log out: 

frances:~# smbldap-passwd toconnell
Changing UNIX and samba passwords for toconnell
New password:
Retype new password:

Once you're out, you're going to want to set his password back to what it once was. This is where ldapmodify comes into play.

Kerberos

Before you can do that, however, you'll need to get a kerberos ticket. This is because you'll need to be kerberos-authenticated to make your ldap modifications stick. So, first things first, get yourself an admin kerberos ticket: 

frances:~# kinit toconnell/admin
Password for toconnell/admin@DOMAIN.COM:
frances:~#

ldapmodify

A quick glance at the man page for ldapmodify shows that the most convenient way to make changes to an ldap entry is to use the -f flag and an input file. The example in the man page for how to construct the input file is this: 

 dn: cn=Modify Me,dc=example,dc=com
           changetype: modify
           replace: mail
           mail: modme@example.com
           -
           add: title
           title: Grand Pooba

So, using the data we got above, we're going to make a similar file containing the original hashes from our target user in order to change his password back to what it used to be: 

dn: uid=toconnell,ou=Users,dc=domain,dc=com
changetype: modify
replace: sambaLMPassword
sambaLMPassword: BE41CD009FF0812C718CCFD7D98A52AA
-
replace: sambaNTPassword
sambaNTPassword: 9454453CBC8A48DEF442F6B0A10B3EAA
-
replace: userPassword
userPassword: {SSHA}abSDvXS6C6DSBNkJGyEYplprZ3wslAa/

Remember to include those "-" characters and to give them their own line: if you fail to do that, you'll get mystery errors about unknown types, etc.

Once you've got your file, fire off your changes like this: 

ldapmodify -f /path/to/file

And that's all you've got to do. When the original user attempts to log in with his old password, everything will look perfectly normal to him: you never saw his password in plaintext and, as far as he's concerned, none of this ever happened.

1 Comment

 Mike

“you’ve got a user who’s password you don’t know”

It’s “whose”, not “who’s”. Nice article on how to potentially violate the law with a little platform bigotry for added flava’ :)

September 1, 2009

Leave a comment

WP_Big_City