ldap_modify() instead of ldap_exop_passwd()

[drlight17]

Hi.
I've just had troubles with changing users passwords from NC. I'm using samba 4 with 6.1.1.2.4.1.2 dSHeuristics set to 1. But everytime changing password (not only by NC, but by self-written scripts) I've got extended operation error using ldap_exop_passwd() function.
And there is no problem to change password using ldap_modify(). I've made a little change in lib/LDAPUserManager.php (see drlight17@2298fd1).
Is there a really security cause to use ldap_exop_passwd() function to operate with userPassword attrribute?

[blizzz]

Is there a really security cause to use ldap_exop_passwd() function to operate with userPassword attrribute?

It will ensure that the password is hashed instead of possibly stored as clear text.

[drlight17]

Is there a really security cause to use ldap_exop_passwd() function to operate with userPassword attrribute?

It will ensure that the password is hashed instead of possibly stored as clear text.

Maybe there is an ability to add an option in GUI to choose ldap attribute and function to store password? Because sometimes there is no ways to deal with userPassword.

[blizzz]

Are you sure Samba4 is configured correctly? It seems odd to me that it would not be able to operate with the intended method to change passwords on LDAP. And it does not seem to be the correct solution for me either.

[drlight17]

Are you sure Samba4 is configured correctly? It seems odd to me that it would not be able to operate with the intended method to change passwords on LDAP. And it does not seem to be the correct solution for me either.

Thnx for the reply. I have a feeling, that samba 4.7.0 (actual version for Ubuntu 18) doesn't really support dSHeuristics flag. I'll try to upgrade version to the latest stable. Maybe this will help.

[drlight17]

Samba is upgraded to the latest 4.11.6 with no luck. Still having the same error:

Result: Protocol error (2)
Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.1) not supported

Just found info of 2017 in the samba lists:

"...sadly Samba does not support
the extended operation method yet. We would love to support it, but
that requires engineering at this stage."

(https://lists.samba.org/archive/samba/2017-March/207245.html)
And another one:

"... No, the extended operation is
not supported - it remains a wishlist item that one of our developers
was working on at some point, but has not progressed beyond that."

(http://samba.2283325.n4.nabble.com/Internal-LDAP-problem-tp4643700p4643833.html)
Maybe this is the point? Samba doesn't support extended operations with Samba internal AD backend.
Or did I missed something? Did someone test Samba with internal ad backend (not with something like OpenLDAP or native Windows AD)?

[blizzz]

That's 3 years ago, but well, probably still valid. The automated tests run against openLDAP, I know 389 DS was tested, too.

[julyusito]

Same issue here, can't change password with Samba AD, there is another way to implement this feature?

ldap_exop_passwd(): Passwd modify extended operation failed: Extended Operation(1.3.6.1.4.1.4203.1.11.1) not supported (2) at /var/www/html/custom_apps/ldap_write_support/lib/LDAPUserManager.php#349

[drlight17]

Same issue here, can't change password with Samba AD, there is another way to implement this feature?

ldap_exop_passwd(): Passwd modify extended operation failed: Extended Operation(1.3.6.1.4.1.4203.1.11.1) not supported (2) at /var/www/html/custom_apps/ldap_write_support/lib/LDAPUserManager.php#349

Still no changes in code of LDAPUserManager.php. So I'm still using my fix (drlight17@2298fd1) from the first post in this thread. It works perfectly fine. Just make sure to have a backup of fixed LDAPUserManager.php when update Nextcloud or it's apps.

[julyusito]

Hi,

Try this on your samba AD:

Replace /var/lib/samba/private/ for your path and the dc domain part

ldbedit -e vi -H /var/lib/samba/private/sam.ldb -b 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=example,DC=com' '(objectClass=ntDSService)'
Add this line at the end of file:
dSHeuristics: 000000001

The editor is vi, so you can use ESC key, then :$ to go at the end of file, and finally the letter o to add new line, paste the dSHeuristics line and save with ESC key and :x

The samba.conf on your AD server must contains the line in global section: (this was my missing setup to work)
password hash userPassword schemes = CryptSHA256 CryptSHA512

Restart samba service and voilá.

I hope this work

[drlight17]

Hi,

Try this on your samba AD:

Replace /var/lib/samba/private/ for your path and the dc domain part

ldbedit -e vi -H /var/lib/samba/private/sam.ldb -b 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=example,DC=com' '(objectClass=ntDSService)'
Add this line at the end of file:
dSHeuristics: 000000001

The editor is vi, so you can use ESC key, then :$ to go at the end of file, and finally the letter o to add new line, paste the dSHeuristics line and save with ESC key and :x

The samba.conf on your AD server must contains the line in global section: (this was my missing setup to work)
password hash userPassword schemes = CryptSHA256 CryptSHA512

Restart samba service and voilá.

I hope this work

Hello.
Thanks for your reply.
I've already set dSHeuristics: 000000001 in ad scheme. Just added password hash userPassword schemes = CryptSHA256 CryptSHA512 in smb.conf and restarted service.
But unfortunately still have the following:
[PHP] Error: ldap_exop_passwd(): Passwd modify extended operation failed: Protocol error (2) at /var/www/nextcloud/apps/ldap_write_support/lib/LDAPUserManager.php#352

POST /settings/personal/changepassword
from x.x.x.x by user at 2020-09-24T11:03:01+03:00

[meckiemac]

I did the same and still get the Error: ldap_exop_passwd(): Passwd modify extended operation failed: Extended Operation(1.3.6.1.4.1.4203.1.11.1) not supported (2) at /var/www/html/custom_apps/ldap_write_support/lib/LDAPUserManager.php#353.

[meckiemac]

Hi.
I've just had troubles with changing users passwords from NC. I'm using samba 4 with 6.1.1.2.4.1.2 dSHeuristics set to 1. But everytime changing password (not only by NC, but by self-written scripts) I've got extended operation error using ldap_exop_passwd() function.
And there is no problem to change password using ldap_modify(). I've made a little change in lib/LDAPUserManager.php (see drlight17@2298fd1).
Is there a really security cause to use ldap_exop_passwd() function to operate with userPassword attrribute?

Instead of the deep change, I would recommend either a fallback or an AD detection algorithm to stay compatible.
Maybe a GUI switch with Password update method would be the best for keeping it in control.

[army1349]

I can add detection of passwdModify extended operation.

@drlight17 @meckiemac can you send current version of your LDAP backend and your DSE?
You shoud get DSE by querying empty-string base.
Something like this:
ldapsearch -LLL -o ldif-wrap=no -x -b '' -s base +

[meckiemac]

I run the samba AD via ubuntu focal, current release is: 2:4.11.6+dfsg-0ubuntu1.6. Output is sanitised.
LDAPTLS_REQCERT=never ldapsearch -H ldaps://192.168.x.x:636 -D "CN=Administrator,CN=Users,DC=mydom,DC=lan" -W -s base -b '' -x -LLL -o ldif-wrap=no
Enter LDAP Password:
dn:
configurationNamingContext: CN=Configuration,DC=mydom,DC=lan
defaultNamingContext: DC=mydom,DC=lan
rootDomainNamingContext: DC=mydom,DC=lan
schemaNamingContext: CN=Schema,CN=Configuration,DC=mydom,DC=lan
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=mydom,DC=lan
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Samba Team (https://www.samba.org)
isSynchronized: TRUE
dsServiceName: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydom,DC=lan
serverName: CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydom,DC=lan
dnsHostName: dc1.mydom.lan
ldapServiceName: mydom.lan:dc1$@mydom.LAN
currentTime: 20210304195947.0Z
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1341
namingContexts: DC=mydom,DC=lan
namingContexts: CN=Configuration,DC=mydom,DC=lan
namingContexts: CN=Schema,CN=Configuration,DC=mydom,DC=lan
namingContexts: DC=DomainDnsZones,DC=mydom,DC=lan
namingContexts: DC=ForestDnsZones,DC=mydom,DC=lan
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
highestCommittedUSN: 4597
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4
isGlobalCatalogReady: TRUE

I hope this helps. Let me know if you need more information.

[drlight17]

I can add detection of passwdModify extended operation.

@drlight17 @meckiemac can you send current version of your LDAP backend and your DSE?
You shoud get DSE by querying empty-string base.
Something like this:
ldapsearch -LLL -o ldif-wrap=no -x -b '' -s base +

# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.4 LTS
Release:	18.04
Codename:	bionic

# apt search samba | grep samba/unkn

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

python-samba/unknown,now 2:4.9.18+dfsg-0.1bionic1 amd64 [installed,automatic]
samba/unknown,now 2:4.9.18+dfsg-0.1bionic1 amd64 [installed]

#ldapsearch -LLL -o ldif-wrap=no -x -b '' -s base
dn:
configurationNamingContext: CN=Configuration,DC=ksc,DC=loc
defaultNamingContext: DC=ksc,DC=loc
rootDomainNamingContext: DC=ksc,DC=loc
schemaNamingContext: CN=Schema,CN=Configuration,DC=ksc,DC=loc
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=ksc,DC=loc
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: Samba Team (http://samba.org)
isSynchronized: TRUE
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ksc,DC=loc
serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ksc,DC=loc
dnsHostName: dc.ksc.loc
ldapServiceName: ksc.loc:dc$@KSC.LOC
currentTime: 20210305054234.0Z
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1341
namingContexts: DC=ksc,DC=loc
namingContexts: CN=Configuration,DC=ksc,DC=loc
namingContexts: CN=Schema,CN=Configuration,DC=ksc,DC=loc
namingContexts: DC=DomainDnsZones,DC=ksc,DC=loc
namingContexts: DC=ForestDnsZones,DC=ksc,DC=loc
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
highestCommittedUSN: 3544408
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4
isGlobalCatalogReady: TRUE

[army1349]

Thanks, now quick summary:

• Samba and MS AD don't support Password Modify ExOp today. Here is bug for Samba.
• They correctly don't advertise Password Modify ExOp in rootDSE and respond with Protocol error.
• Proper way of changing password here is modifying unicodePwd attribute or userPassword attribute (requires dSHeuristics).

LDAP documentation says:

A well-behaved client should generally attempt to verify that the server supports a particular type of extended operation before sending a request of that type to the server.

So, we should probably check DSE for supportedExtension: 1.3.6.1.4.1.4203.1.11.1 and use userPassword attribute if not supported.

@drlight17 @meckiemac can you confirm that modifying userPassword attribute works for you?

[drlight17]

@drlight17 @meckiemac can you confirm that modifying userPassword attribute works for you?

Yes, I confirm.

[meckiemac]

I can confirm, but with a very small change. I searched a bit further and found: https://stackoverflow.com/questions/13078022/php-ldap-modify-insufficient-access
Instead of "ldap_modify" I use here the recommended "ldap_mod_replace" and it works.
Thank you,
Andreas

[meckiemac]

Hi, do we have any updates on this? I would like to skip the double checking of the exop/mod functions on any update.
As another idea, why not make a permanent fork called ad_ldap_write_support? And we can add additional AD features step by step?

[drlight17]

Finally! Thanks!

[meckiemac]

Thank you!