Themabewertung:
  • 0 Bewertung(en) - 0 im Durchschnitt
  • 1
  • 2
  • 3
  • 4
  • 5
Samba Passwort erstellen
#1
Die Frage klingt einfach. Sie ist jedoch (warscheinlich) nicht leicht zu beantworten:

Wie kann ich für einen Benutzer den verschlüselten Passwort-Hash in der smbpasswd-Datei ohne Hilfsmittel setzen? Auf dem System befindet sich nur der samba-deamon ohne Skripte für die Passwortänderung. Wie kann ich mir einen user+verschlüsselten Passwort Hash erstellen (Standalone toolss, Programm unter Windows, Passwortzeile vom Desktop-Linux kopieren, ...)? Konnte leider nichts finden ausser die Linuxeigenen Methoden.


"smbpasswd":
Code:
<!--lnum1--><font color=#FF0000>1: </font> <!--lnum2-->root:0:B267DF22CB945E3EAAD3B435B51404EE:36AA83BDCAB3C9FDAF321CA42A31C3FC:[UX         ]:LCT-3870EF8D:

Pls Help
Antworten
#2
Ich bin mal faul...
Code:
<!--lnum1--><font color=#FF0000>1: </font> <!--lnum2-->       name   This  is the user name. It must be a name that already exists in
<!--lnum1--><font color=#FF0000>2: </font> <!--lnum2-->              the standard UNIX passwd file.
<!--lnum1--><font color=#FF0000>3: </font> <!--lnum2-->       uid    This is the UNIX uid. It must match the uid field for  the  same
<!--lnum1--><font color=#FF0000>4: </font> <!--lnum2-->              user  entry  in  the standard UNIX passwd file. If this does not
<!--lnum1--><font color=#FF0000>5: </font> <!--lnum2-->              match then Samba will refuse to recognize  this  smbpasswd  file
<!--lnum1--><font color=#FF0000>6: </font> <!--lnum2-->              entry as being valid for a user.
<!--lnum1--><font color=#FF0000>7: </font> <!--lnum2-->       Lanman Password Hash
<!--lnum1--><font color=#FF0000>8: </font> <!--lnum2-->              This  is  the  LANMAN hash of the user's password, encoded as 32
<!--lnum1--><font color=#FF0000>9: </font> <!--lnum2-->              hex digits. The LANMAN hash is created by DES encrypting a  well
<!--lnum1--><font color=#FF0000>10: </font> <!--lnum2-->              known  string  with  the user's password as the DES key. This is
<!--lnum1--><font color=#FF0000>11: </font> <!--lnum2-->              the same password used by Windows 95/98 machines. Note that this
<!--lnum1--><font color=#FF0000>12: </font> <!--lnum2-->              password hash is regarded as weak as it is vulnerable to dictio-
<!--lnum1--><font color=#FF0000>13: </font> <!--lnum2-->              nary attacks and if two users  choose  the  same  password  this
<!--lnum1--><font color=#FF0000>14: </font> <!--lnum2-->              entry  will  be  identical (i.e. the password is not "salted" as
<!--lnum1--><font color=#FF0000>15: </font> <!--lnum2-->              the UNIX password is). If the user  has  a  null  password  this
<!--lnum1--><font color=#FF0000>16: </font> <!--lnum2-->              field  will contain the characters "NO PASSWORD" as the start of
<!--lnum1--><font color=#FF0000>17: </font> <!--lnum2-->              the hex string. If the hex string is equal to 32 'X'  characters
<!--lnum1--><font color=#FF0000>18: </font> <!--lnum2-->              then  the  user's account is marked asdisabled and the user will
<!--lnum1--><font color=#FF0000>19: </font> <!--lnum2-->              not be able to log onto the Samba server.
<!--lnum1--><font color=#FF0000>20: </font> <!--lnum2-->              WARNING !! Note that, due to the  challenge-response  nature  of
<!--lnum1--><font color=#FF0000>21: </font> <!--lnum2-->              the SMB/CIFS authentication protocol, anyone with a knowledge of
<!--lnum1--><font color=#FF0000>22: </font> <!--lnum2-->              this password hash will be able to impersonate the user  on  the
<!--lnum1--><font color=#FF0000>23: </font> <!--lnum2-->              network.  For  this  reason these hashes are known as plain text
<!--lnum1--><font color=#FF0000>24: </font> <!--lnum2-->              equivalents and must NOT be made available  to  anyone  but  the
<!--lnum1--><font color=#FF0000>25: </font> <!--lnum2-->              root  user.  To  protect  these  passwords the smbpasswd file is
<!--lnum1--><font color=#FF0000>26: </font> <!--lnum2-->              placed in a directory with read and traverse access only to  the
<!--lnum1--><font color=#FF0000>27: </font> <!--lnum2-->              root  user  and  the  smbpasswd  file  itself  must be set to be
<!--lnum1--><font color=#FF0000>28: </font> <!--lnum2-->              read/write only by root, with no other access.
<!--lnum1--><font color=#FF0000>29: </font> <!--lnum2-->       NT Password Hash
<!--lnum1--><font color=#FF0000>30: </font> <!--lnum2-->              This is the Windows NT hash of the user's password,  encoded  as
<!--lnum1--><font color=#FF0000>31: </font> <!--lnum2-->              32  hex  digits.  The  Windows  NT hash is created by taking the
<!--lnum1--><font color=#FF0000>32: </font> <!--lnum2-->              user's password as represented in 16-bit, little-endian  UNICODE
<!--lnum1--><font color=#FF0000>33: </font> <!--lnum2-->              and  then  applying the MD4 (internet rfc1321) hashing algorithm
<!--lnum1--><font color=#FF0000>34: </font> <!--lnum2-->              to it.
<!--lnum1--><font color=#FF0000>35: </font> <!--lnum2-->              This password hash is considered more  secure  than  the  LANMAN
<!--lnum1--><font color=#FF0000>36: </font> <!--lnum2-->              Password  Hash as it preserves the case of the password and uses
<!--lnum1--><font color=#FF0000>37: </font> <!--lnum2-->              a much higher quality hashing algorithm. However,  it  is  still
<!--lnum1--><font color=#FF0000>38: </font> <!--lnum2-->              the  case  that if two users choose the same password this entry
<!--lnum1--><font color=#FF0000>39: </font> <!--lnum2-->              will be identical (i.e. the password is not "salted" as the UNIX
<!--lnum1--><font color=#FF0000>40: </font> <!--lnum2-->              password is).
<!--lnum1--><font color=#FF0000>41: </font> <!--lnum2-->              WARNING  !!.  Note that, due to the challenge-response nature of
<!--lnum1--><font color=#FF0000>42: </font> <!--lnum2-->              the SMB/CIFS authentication protocol, anyone with a knowledge of
<!--lnum1--><font color=#FF0000>43: </font> <!--lnum2-->              this  password  hash will be able to impersonate the user on the
<!--lnum1--><font color=#FF0000>44: </font> <!--lnum2-->              network. For this reason these hashes are known  as  plain  text
<!--lnum1--><font color=#FF0000>45: </font> <!--lnum2-->              equivalents  and  must  NOT  be made available to anyone but the
<!--lnum1--><font color=#FF0000>46: </font> <!--lnum2-->              root user. To protect these  passwords  the  smbpasswd  file  is
<!--lnum1--><font color=#FF0000>47: </font> <!--lnum2-->              placed  in a directory with read and traverse access only to the
<!--lnum1--><font color=#FF0000>48: </font> <!--lnum2-->              root user and the smbpasswd  file  itself  must  be  set  to  be
<!--lnum1--><font color=#FF0000>49: </font> <!--lnum2-->              read/write only by root, with no other access.
<!--lnum1--><font color=#FF0000>50: </font> <!--lnum2-->       Account Flags
<!--lnum1--><font color=#FF0000>51: </font> <!--lnum2-->              This  section contains flags that describe the attributes of the
<!--lnum1--><font color=#FF0000>52: </font> <!--lnum2-->              users account. In the Samba 2.2 release this field is  bracketed
<!--lnum1--><font color=#FF0000>53: </font> <!--lnum2-->              by  '[' and ']' characters and is always 13 characters in length
<!--lnum1--><font color=#FF0000>54: </font> <!--lnum2-->              (including the '[' and ']' characters).  The  contents  of  this
<!--lnum1--><font color=#FF0000>55: </font> <!--lnum2-->              field may be any of the following characters:
<!--lnum1--><font color=#FF0000>56: </font> <!--lnum2-->              ·  U  -  This  means  this is a "User" account, i.e. an ordinary
<!--lnum1--><font color=#FF0000>57: </font> <!--lnum2-->                 user. Only User and Workstation Trust accounts are  currently
<!--lnum1--><font color=#FF0000>58: </font> <!--lnum2-->                 supported in the smbpasswd file.
<!--lnum1--><font color=#FF0000>59: </font> <!--lnum2-->              ·  N  - This means the account has no password (the passwords in
<!--lnum1--><font color=#FF0000>60: </font> <!--lnum2-->                 the fields LANMAN Password Hash  and  NT  Password  Hash  are
<!--lnum1--><font color=#FF0000>61: </font> <!--lnum2-->                 ignored). Note that this will only allow users to log on with
<!--lnum1--><font color=#FF0000>62: </font> <!--lnum2-->                 no password if  the   null  passwords  parameter  is  set  in
<!--lnum1--><font color=#FF0000>63: </font> <!--lnum2-->                 thesmb.conf(5) config file.
<!--lnum1--><font color=#FF0000>64: </font> <!--lnum2-->              ·  D - This means the account is disabled and no SMB/CIFS logins
<!--lnum1--><font color=#FF0000>65: </font> <!--lnum2-->                 will be allowed for this user.
<!--lnum1--><font color=#FF0000>66: </font> <!--lnum2-->              ·  W - This means this account is a "Workstation Trust" account.
<!--lnum1--><font color=#FF0000>67: </font> <!--lnum2-->                 This  kind of account is used in the Samba PDC code stream to
<!--lnum1--><font color=#FF0000>68: </font> <!--lnum2-->                 allow Windows NT Workstations and Servers to  join  a  Domain
<!--lnum1--><font color=#FF0000>69: </font> <!--lnum2-->                 hosted by a Samba PDC.
<!--lnum1--><font color=#FF0000>70: </font> <!--lnum2-->       Other flags may be added as the code is extended in future. The rest of
<!--lnum1--><font color=#FF0000>71: </font> <!--lnum2-->       this field space is filled in with spaces.
<!--lnum1--><font color=#FF0000>72: </font> <!--lnum2-->       Last Change Time
<!--lnum1--><font color=#FF0000>73: </font> <!--lnum2-->              This field consists of the time the account was  last  modified.
<!--lnum1--><font color=#FF0000>74: </font> <!--lnum2-->              It  consists of the characters 'LCT-' (standing for "Last Change
<!--lnum1--><font color=#FF0000>75: </font> <!--lnum2-->              Time") followed by a numeric encoding of the UNIX time  in  sec-
<!--lnum1--><font color=#FF0000>76: </font> <!--lnum2-->              onds since the epoch (1970) that the last change was made.
<!--lnum1--><font color=#FF0000>77: </font> <!--lnum2-->       All other colon separated fields are ignored at this time.

Ein entsprechendes Decoding Tool habe ich auf die schnelle nicht gefunden, aber die entsprechenden Beschreibungen der Felder könnten evtl. hilfreich sein.

[edit]
openssl soll wohl die verschieden Verschlüsselungen hinbekommen
[/edit]

- Silkem
Antworten
#3
Habe mir das File unter meinem Desktop-Linux mit Hilfe von smbpasswd. Dazu die smb.conf Kopiert, den Pfad zur Passwortdatei zu einem File im Home Verzeichnis geändert und smbpasswd mit Verweis auf die geänderte smb.conf gestartet. Hat geklappt.

Hatte des Weiteren noch mit der Konfiguration in der smb.conf zu kämpfen. Soweit funktioniert aber so wie ich das wollte. Danke.
Antworten


Gehe zu:


Benutzer, die gerade dieses Thema anschauen: 1 Gast/Gäste