[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Rowland Penny rpenny at samba.org
Sat Apr 8 14:40:55 UTC 2017 

On Fri, 07 Apr 2017 20:32:37 +0000
Leonardo Bruno Lopes via samba <samba at lists.samba.org> wrote:

> Hi everyone!
> 
> I have a LDAP with all my users' accounts, each one with the
> sambaNTPassaword correctly defined. I also have a freshly installed
> Samba 4.2 running on a Debian 8.7 box.
> 
> I followed the instructions described by Steve ThompsSmabon here
> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
> am able to create a Samba 4 domain account ('samba-tool user add ...
> --random-password ..') and then redefine the password directly using
> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
> scritp.
> 
> As you may have noticed, I don't want to ask for the users to type
> their passwords again, and I want to make sure that LDAP password and
> Samba domain password are always the same. On a second moment - after
> all accounts were creates - I will keep it synchronized using a
> management software.
> 
> 'smbclient' works (authenticates) normally. The problem is that I
> can't login into domain from a Windows 7 VM using the user and
> password I create using the scripts/commands from the thread I linked
> above.
> 
> Besides, I can confirm that the 'unicodePwd' value generated by
> 'samba-tool user setpassword ...' Is the same that the one generated
> by the Python script (I used 'ldbsearch -H ... unicodePwd' to get the
> things checked).
> 
> Is there any other step I should take in order to get Windows logon
> working normally with the accounts I create that way?
> 
> Thanks in advance, regards.
> Leonardo
> 

I have never tried this, but from my understanding, what you have
posted should work. I wonder if it is just something as simple as
the old ldap passwords not being complex enough ?

Try running this on the DC: 

samba-tool domain passwordsettings --complexity=off

If this cures the problem, then you have the answer, it is then up to
you to decide how to proceed, stay with the old passwords or make your
users change them.

Rowland

More information about the samba mailing list