[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Leonardo Bruno Lopes leonardo at cefetmg.br
Sat Apr 8 16:53:09 UTC 2017

  Thank you so much, Rowland.

I disabled the complexity using the command you sugested (just added 'set',
I mean, 'samba-tool domain passwordsettings set --complexity=off').

'smbclient' still works, no surprise here. However I can't test the Windows
login right now. For some weird reason I can't open Windows VMs throught
VPN. As soon as I have some aditional information I will let you and the
list know.

About the complexity setting itself, I suppose It turns off the Samba
password complexity verification while re/setting passwords. It would not
be a problem as the software I (will) use to maintain the accounts already
has some complexity rules. I fact, the passwords I have in my LDAP (in the
'sambaNTPassword' attribute) are complex enough to be used by Samba AD.

Thanks again!

Citando Rowland Penny <rpenny at samba.org>:

> On Fri, 07 Apr 2017 20:32:37 +0000
> Leonardo Bruno Lopes via samba <samba at lists.samba.org> wrote:
>> Hi everyone!
>> I have a LDAP with all my users' accounts, each one with the
>> sambaNTPassaword correctly defined. I also have a freshly installed
>> Samba 4.2 running on a Debian 8.7 box.
>> I followed the instructions described by Steve Thompson here
>> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
>> am able to create a Samba 4 domain account ('samba-tool user add ...
>> --random-password ..') and then redefine the password directly using
>> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
>> scritp.
>> As you may have noticed, I don't want to ask for the users to type
>> their passwords again, and I want to make sure that LDAP password and
>> Samba domain password are always the same. On a second moment - after
>> all accounts were created - I will keep it synchronized using a
>> management software.
>> 'smbclient' works (authenticates) normally. The problem is that I
>> can't login into domain from a Windows 7 VM using the user and
>> password I create using the scripts/commands from the thread I linked
>> above.
>> Besides, I can confirm that the 'unicodePwd' value generated by
>> 'samba-tool user setpassword ...' Is the same that the one generated
>> by the Python script (I used 'ldbsearch -H ... unicodePwd' to get the
>> things checked).
>> Is there any other step I should take in order to get Windows logon
>> working normally with the accounts I create that way?
>> Thanks in advance, regards.
>> Leonardo
> I have never tried this, but from my understanding, what you have
> posted should work. I wonder if it is just something as simple as
> the old ldap passwords not being complex enough ?
> Try running this on the DC:
> samba-tool domain passwordsettings --complexity=off
> If this cures the problem, then you have the answer, it is then up to
> you to decide how to proceed, stay with the old passwords or make your
> users change them.
> Rowland
> --
> Esta mensagem foi verificada pelo sistema de antivĂ­rus eacredita-se
> estar livre de perigo.

Esta mensagem foi verificada pelo sistema de antivĂ­rus e
 acredita-se estar livre de perigo.

More information about the samba mailing list