Using shadow password on Windows


#1

Ohai Chefs,
I have Windows 2008 R2 client with chef 11.4.4 installed through msi
available on Opscode web site (http://www.opscode.com/chef/install.msi)

I would create users using shadow password, but for this I need the
ruby-shadow gem, which seems not to be shipped with the installer

I tried to install using DevKit but without luck

Can anyone point me to some docs on how to install it?

Thanks


#2

On Friday, June 7, 2013 at 11:47 PM, Andrea Cappelli wrote:

Ohai Chefs,
I have Windows 2008 R2 client with chef 11.4.4 installed through msi
available on Opscode web site (http://www.opscode.com/chef/install.msi)

I would create users using shadow password, but for this I need the
ruby-shadow gem, which seems not to be shipped with the installer

I tried to install using DevKit but without luck

Can anyone point me to some docs on how to install it?

Thanks
The ruby-shadow gem is for managing the /etc/shadow file on Unix machines. Chef should not be hitting the code path that requires ruby-shadow on Windows. Can you post the error message you get, an example of cookbook code that causes this, and the output of ohai platform?


Daniel DeLeo


#3

Il 10/06/2013 18:04, Daniel DeLeo ha scritto:

The ruby-shadow gem is for managing the /etc/shadow file on Unix
machines.

Uhm, ok, so i misunderstood the documentation.

So the right question is: how can i set a password for a windws user
knowing only the hash?

If i do

user "test"
password "$1$wCpUAC5P$NiLw8nU0NjBahe0UPOSo5/"
end

on a linux box the user test gets the password “test”, in windows it
gets the password $1$wCpUAC5P$NiLw8nU0NjBahe0UPOSo5/

I (wrongly) supposed that with ruby-shadow gem I would obtain the same
result in both environment

Chef should not be hitting the code path that requires ruby-shadow on
Windows. Can you post the error message you get, an example of
cookbook code that causes this, and the output of ohai platform?

I have no error message, ohai platform returns
[
‘windows’
]

Thanks


#4

Simple answer: you can’t.

More complicated answer: Windows and Linux use completely different, and incompatible, hashing algorithms. Windows simply doesn’t understand Linux hashes (and vice versa). That’s hardly surprising because these are really vendor-specific decisions. The Samba project had to actually create its own separate password database for Windows compatibility (Google for smbpasswd if you want to learn the details).

Even within Linux, assuming that your hash will work is somewhat iffy. For starters, not all distros support the same hashing algorithms. Fortunately, at least the format tends to be consistent, and the algorithm identified with the 1 (MD5), as in your sample, is probably the most common one, although it may be the least secure.

If you really want to set the user to a specific fixed password, maybe you can use Active Directory to accomplish that for both Windows and Linux (via Samba) in a very secure way.

-----Original message-----

From:Andrea Cappelli <a.cappelli@gmail.com mailto:a.cappelli@gmail.com >
Sent: Monday 10th June 2013 9:30
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Re: Re: Using shadow password on Windows

Il 10/06/2013 18:04, Daniel DeLeo ha scritto:

The ruby-shadow gem is for managing the /etc/shadow file on Unix
machines.

Uhm, ok, so i misunderstood the documentation.

So the right question is: how can i set a password for a windws user
knowing only the hash?

If i do

user "test"
password "$1$wCpUAC5P$NiLw8nU0NjBahe0UPOSo5/"
end

on a linux box the user test gets the password “test”, in windows it
gets the password $1$wCpUAC5P$NiLw8nU0NjBahe0UPOSo5/

I (wrongly) supposed that with ruby-shadow gem I would obtain the same
result in both environment

Chef should not be hitting the code path that requires ruby-shadow on
Windows. Can you post the error message you get, an example of
cookbook code that causes this, and the output of ohai platform?

I have no error message, ohai platform returns
[
‘windows’
]

Thanks


#5

Il 11/06/2013 08:52, Kevin Keane Subscription ha scritto:

RE: [chef] Re: Re: Using shadow password on Windows
Simple answer: you can’t.

Thanks :slight_smile:

Fortunately, at least the format tends to be consistent, and the algorithm identified with the 1 (MD5), as in your sample, is probably the most common one, although it may be the least secure.

For Linux distro I use 6, I hoped that 1 was working also on Windows
(as you stated is the most common), but I made a wrong assumption

If you really want to set the user to a specific fixed password,

I have to, I need user to be in sync on more than one server. But
probably the use of Active Directory as you suggested is a more suitable way

Thank you


#6

Le 2013-06-11 09:15, Andrea Cappelli a écrit :

Il 11/06/2013
08:52, Kevin Keane Subscription ha scritto:

Simple answer: you
can’t.

Thanks :slight_smile:

Fortunately, at least the format tends to be
consistent, and the algorithm identified with the 1 (MD5), as in your
sample, is probably the most common one, although it may be the least
secure.

For Linux distro I use 6, I hoped that 1 was working
also on Windows (as you stated is the most common), but I made a wrong
assumption

If you really want to set th> re than one server. But
probably the use of Active Directory as you suggested is a more suitable
way

Thank you

In this case have a look here:

http://community.opscode.com/cookbooks/ad-likewise

http://community.opscode.com/cookbooks/ad-auth

In brief, likewise do
a hash of user and groups SID to create the uid/gid and so an active
directory user keep having the same uid on every linux box (and
obviously the same password).

I think it is your need when you say “I
need user to be in sync”.

Regards


#7

Il 11/06/2013 09:40, Tensibai ha scritto:

In this case have a look here:

http://community.opscode.com/cookbooks/ad-likewise

http://community.opscode.com/cookbooks/ad-auth

Thank you Tensibai for pointing me to these cookbooks

Have a nice day