[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Andrew Bartlett abartlet at samba.org
Sat Apr 8 19:34:30 UTC 2017

On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba
> Hi everyone!
> I have a LDAP with all my users' accounts, each one with the
> sambaNTPassaword correctly defined. I also have a freshly installed
> Samba
> 4.2 running on a Debian 8.7 box.
> I followed the instructions described by Steve ThompsSmabon here
> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
> am able
> to create a Samba 4 domain account ('samba-tool user add ...
> --random-password ..') and then redefine the password directly using
> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
> scritp.
> As you may have noticed, I don't want to ask for the users to type
> their
> passwords again, and I want to make sure that LDAP password and Samba
> domain password are always the same. On a second moment - after all
> accounts were creates - I will keep it synchronized using a
> management
> software.
> 'smbclient' works (authenticates) normally. The problem is that I
> can't
> login into domain from a Windows 7 VM using the user and password I
> create
> using the scripts/commands from the thread I linked above.
> Besides, I can confirm that the 'unicodePwd' value generated by
> 'samba-tool
> user setpassword ...' Is the same that the one generated by the
> Python
> script (I used 'ldbsearch -H ... unicodePwd' to get the things
> checked).
> Is there any other step I should take in order to get Windows logon
> working
> normally with the accounts I create that way?

My guess is that the Kerberos keys in supplementalCredentials have not
been removed.  Those are still set to the random password, and windows
7 is using Kerberos.

The code in pdb_samba_dsdb that owns the OID you use always removes
this attribute when setting that OID, so you need to as well. 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list