User passwords from older Samba?

[georgy.goshin]

Hi

Need to replace older Samba server and would like to use TrueNAS Scale. Is there any simple way to import older users / groups from older samba server? Samba 3.0, on a CentOS 5.4 ?

 

[anodos]

Hi

Need to replace older Samba server and would like to use TrueNAS Scale. Is there any simple way to import older users / groups from older samba server? Samba 3.0, on a CentOS 5.4 ?

Not really. The problem is that we expect admins to create users with password filled out via either webui or API. This password is then hashed and stored encrypted in our sqlite3 database. We also generate the NT hash at that time and store the old-style smbpasswd-style string as the `smbhash` key in our database (also encrypted).

In theory, you can pre-stage users with random passwords, then use our "datastore" plugin to hack the smbhash:

Code:

root@truenas[~]# midclt call datastore.query account.bsdusers '[["bsdusr_username", "=", "smbuser"]]'
[]
root@truenas[~]# midclt call user.create '{"username": "bob", "full_name": "bob", "password": "Cats", "group_create": true}
quote> 
root@truenas[~]# midclt call user.create '{"username": "bob", "full_name": "bob", "password": "Cats", "group_create": true}'
66
root@truenas[~]# midclt call datastore.query account.bsdusers '[["id", "=", 66]]'
[{"id": 66, "bsdusr_uid": 1000, "bsdusr_username": "bob", "bsdusr_unixhash": "$6$kwhFdCNlEyO5k0In$2egwdn22pNio9ktSyf07XozkWgM.Nf3wh5Fb8iwVOyia5/aa.H7TB5aTJreNilSt5t6zVcAnI2weTbh6XJ/3S0", "bsdusr_smbhash": "bob:1000:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:B3F34FF0FBB772A1A70810CBB3320740:[U         ]:LCT-62BEDAF8:", "bsdusr_home": "/nonexistent", "bsdusr_shell": "/usr/bin/zsh", "bsdusr_full_name": "bob", "bsdusr_builtin": false, "bsdusr_smb": true, "bsdusr_password_disabled": false, "bsdusr_locked": false, "bsdusr_sudo": false, "bsdusr_sudo_nopasswd": false, "bsdusr_sudo_commands": [], "bsdusr_microsoft_account": false, "bsdusr_attributes": {}, "bsdusr_email": null, "bsdusr_group": {"id": 98, "bsdgrp_gid": 1000, "bsdgrp_group": "bob", "bsdgrp_builtin": false, "bsdgrp_sudo": false, "bsdgrp_sudo_nopasswd": false, "bsdgrp_sudo_commands": [], "bsdgrp_smb": false}}]

see bsdusr_smbhash. This is your smbpasswd string you need to replace with the one from the centos server. The most relevant part is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:B3F34FF0FBB772A1A70810CBB3320740. This is the NTLM hash. The datastore plugin handles the encryption / decryption before db writes.

Note though that replacing the NT hash is sufficient for SMB access, but will not grant local FS access.

 

[anodos]

A couple of caveats here:
1) This is neither supported nor endorsed, but I understand as an admin you can get stuck between a rock and a hard place.
2) As noted from above this smbhash is plain-text equivalent and can be used for pass-the-hash attacks. Please be careful with how you store / manage these.
3) This portion is an unsalted md4 B3F34FF0FBB772A1A70810CBB3320740 which are somewhat easily crackable these days. If you only have a few high-value accounts, you could probably crack, get original plaintext and use it to create a proper user account.
4) if you for some reason decide to do (3) above, you should probably not use online tools to do this.

The general procedure I laid out above should in theory work. Some testing / experimenting on your side will be required. We don't ever update the smbhash unless a user changes his or her password.