search

djbdjb00djb / hashing-password-filter

Automatically exported from code.google.com/p/hashing-password-filter
0 stars 0 forks source link

2008R2 x64 Doesn't work? #27

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1) Open ADSI Edit (Admin tools)
2) Right click CN=Schema... under Schema [mirage.krellinst.org] and select 
New:Object
3) Add attributeSchema
        cn=hashedPassword
        oMSyntax = 27
        ldapDisplayName = hashedPassword
        isSingleValued = True
        attribute syntax = 2.5.5.3 [Case Sensitive String]
        attributeID = <run oid script and add .2.1 to the end of the root OID>
        More Attributes: searchFlags = 128 [Confidential]
4) Add classSchema
        cn=hashedPasswordSchema
        subClassOf=top
        governsID = <run oid script and add .1.1 to the end of the root OID>
5) Edit CN=hashedPasswordSchema
        Add hashedPassword to auxiliaryClass attribute
6) Edit CN=User
        Add hashedPasswordSchema to auxiliaryClass attribute
7) Copy HashingPasswordFilter.dll to C:\Windows\System32 on DC
Edit registry on DC
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
        Add "HashingPasswordFilter" to "Notification Packages" (or add key)
8) Reboot DC
9) Search for HashingPaswordFilter in Event Log - verify that module was loaded 
as Notification Package
10) Reset user password from AD Users & Computers Snap-in
11) View user attributes, find hashedPassword attribute is "<not set>"

What is the expected output? What do you see instead?
Should have password hash in hashedPassword attribute

What version of the product are you using? On what operating system?
0.1rc4 64bit on Win 2008R2 x64

Original issue reported on code.google.com by bablak...@gmail.com on 7 Sep 2011 at 4:05

GoogleCodeExporter commented 9 years ago 
Some more information.  I've narrowed the problem down to an Operations Error 
upon querying ([sic] quering) for the sAMAccountName.  If my credentials were 
incorrect, according to the source code, it would have error out upon the bind. 
 I can run the same query it is executing using ldapsearch from a Linux machine 
without issue.  Any tips on how to find out what the "Operations Error" might 
be?

Original comment by bablak...@gmail.com on 8 Sep 2011 at 10:34

GoogleCodeExporter commented 9 years ago 
After a second reboot, it seems happy now.

Original comment by bablak...@gmail.com on 9 Sep 2011 at 12:37

GoogleCodeExporter commented 9 years ago 
For what it's worth, I created a task that fires on 4738 in the security log 
(User Changed) to run this the GADS sync-cmd.exe.  In case anyone else is 
looking for an efficient way to handle syncing.

Original comment by bablak...@gmail.com on 9 Sep 2011 at 12:57

GoogleCodeExporter commented 9 years ago 
http://blog.mosheldon.com/2011/11/google-password-sync-windows-server.html

Original comment by m...@mosheldon.com on 17 Nov 2011 at 10:15