[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
Leonardo Bruno Lopes
leonardo at cefetmg.br
Sun Apr 9 14:47:59 UTC 2017
Citando Andrew Bartlett <abartlet at samba.org>:
> On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba
> wrote:
>> Hi everyone!
>>
>> I have a LDAP with all my users' accounts, each one with the
>> sambaNTPassaword correctly defined. I also have a freshly installed
>> Samba
>> 4.2 running on a Debian 8.7 box.
>>
>> I followed the instructions described by Steve ThompsSmabon here
>> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
>> am able
>> to create a Samba 4 domain account ('samba-tool user add ...
>> --random-password ..') and then redefine the password directly using
>> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
>> scritp.
>>
>> As you may have noticed, I don't want to ask for the users to type
>> their
>> passwords again, and I want to make sure that LDAP password and Samba
>> domain password are always the same. On a second moment - after all
>> accounts were creates - I will keep it synchronized using a
>> management
>> software.
>>
>> 'smbclient' works (authenticates) normally. The problem is that I
>> can't
>> login into domain from a Windows 7 VM using the user and password I
>> create
>> using the scripts/commands from the thread I linked above.
>>
>> Besides, I can confirm that the 'unicodePwd' value generated by
>> 'samba-tool
>> user setpassword ...' Is the same that the one generated by the
>> Python
>> script (I used 'ldbsearch -H ... unicodePwd' to get the things
>> checked).
>>
>> Is there any other step I should take in order to get Windows logon
>> working
>> normally with the accounts I create that way?
>
> My guess is that the Kerberos keys in supplementalCredentials have not
> been removed. Those are still set to the random password, and windows
> 7 is using Kerberos.
Dear Andrew,
I confirmed that 'supplementalCredentials' has different values
depending on whether I use 'samba-tool' or 'ldbmodify' to set the
password. That seems to confirm your initial guess.
> The code in pdb_samba_dsdb that owns the OID you use always removes
> this attribute when setting that OID, so you need to as well.
Is there any chance that this could mean I only need to wipe
'supplementalCredentials' attribute -- I saw that it is possible --
after set the password with 'ldbmodify'? Unfortunately I can't get
this tested until tomorrow.
By the way, congratulations guys, you have been doing such an awesome
job with Samba and all this AD stuff, both coding and supporting.
> Thanks,
Thank you o much, really!
Leonardo
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
>
>
> --
> Esta mensagem foi verificada pelo sistema de antivĂrus e
> acredita-se estar livre de perigo.
--
Esta mensagem foi verificada pelo sistema de antivĂrus e
acredita-se estar livre de perigo.
More information about the samba
mailing list