[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Sat Apr 8 16:53:09 UTC 2017

  Thank you so much, Rowland.

I disabled the complexity using the command you sugested (just added 'set',
I mean, 'samba-tool domain passwordsettings set --complexity=off').

'smbclient' still works, no surprise here. However I can't test the Windows
login right now. For some weird reason I can't open Windows VMs throught
VPN. As soon as I have some aditional information I will let you and the
list know.

About the complexity setting itself, I suppose It turns off the Samba
password complexity verification while re/setting passwords. It would not
be a problem as the software I (will) use to maintain the accounts already
has some complexity rules. I fact, the passwords I have in my LDAP (in the
'sambaNTPassword' attribute) are complex enough to be used by Samba AD.

Thanks again!
Leonardo

Citando Rowland Penny <rpenny at samba.org>:

> On Fri, 07 Apr 2017 20:32:37 +0000
> Leonardo Bruno Lopes via samba <samba at lists.samba.org> wrote:
>
>> Hi everyone!
>>
>> I have a LDAP with all my users' accounts, each one with the
>> sambaNTPassaword correctly defined. I also have a freshly installed
>> Samba 4.2 running on a Debian 8.7 box.
>>
>> I followed the instructions described by Steve Thompson here
>> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
>> am able to create a Samba 4 domain account ('samba-tool user add ...
>> --random-password ..') and then redefine the password directly using
>> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
>> scritp.
>>
>> As you may have noticed, I don't want to ask for the users to type
>> their passwords again, and I want to make sure that LDAP password and
>> Samba domain password are always the same. On a second moment - after
>> all accounts were created - I will keep it synchronized using a
>> management software.
>>
>> 'smbclient' works (authenticates) normally. The problem is that I
>> can't login into domain from a Windows 7 VM using the user and
>> password I create using the scripts/commands from the thread I linked
>> above.
>>
>> Besides, I can confirm that the 'unicodePwd' value generated by
>> 'samba-tool user setpassword ...' Is the same that the one generated
>> by the Python script (I used 'ldbsearch -H ... unicodePwd' to get the
>> things checked).
>>
>> Is there any other step I should take in order to get Windows logon
>> working normally with the accounts I create that way?
>>
>> Thanks in advance, regards.
>> Leonardo
>
> I have never tried this, but from my understanding, what you have
> posted should work. I wonder if it is just something as simple as
> the old ldap passwords not being complex enough ?
>
> Try running this on the DC:
>
> samba-tool domain passwordsettings --complexity=off
>
> If this cures the problem, then you have the answer, it is then up to
> you to decide how to proceed, stay with the old passwords or make your
> users change them.
>
> Rowland
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus eacredita-se
> estar livre de perigo.

-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.