[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Leonardo Bruno Lopes leonardo at cefetmg.br
Sun Apr 9 14:47:59 UTC 2017

Citando Andrew Bartlett <abartlet at samba.org>:

> On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba
> wrote:
>> Hi everyone!
>> I have a LDAP with all my users' accounts, each one with the
>> sambaNTPassaword correctly defined. I also have a freshly installed
>> Samba
>> 4.2 running on a Debian 8.7 box.
>> I followed the instructions described by Steve ThompsSmabon here
>> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
>> am able
>> to create a Samba 4 domain account ('samba-tool user add ...
>> --random-password ..') and then redefine the password directly using
>> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
>> scritp.
>> As you may have noticed, I don't want to ask for the users to type
>> their
>> passwords again, and I want to make sure that LDAP password and Samba
>> domain password are always the same. On a second moment - after all
>> accounts were creates - I will keep it synchronized using a
>> management
>> software.
>> 'smbclient' works (authenticates) normally. The problem is that I
>> can't
>> login into domain from a Windows 7 VM using the user and password I
>> create
>> using the scripts/commands from the thread I linked above.
>> Besides, I can confirm that the 'unicodePwd' value generated by
>> 'samba-tool
>> user setpassword ...' Is the same that the one generated by the
>> Python
>> script (I used 'ldbsearch -H ... unicodePwd' to get the things
>> checked).
>> Is there any other step I should take in order to get Windows logon
>> working
>> normally with the accounts I create that way?
> My guess is that the Kerberos keys in supplementalCredentials have not
> been removed.  Those are still set to the random password, and windows
> 7 is using Kerberos.

Dear Andrew,

I confirmed that 'supplementalCredentials' has different values  
depending on whether I use 'samba-tool' or 'ldbmodify' to set the  
password. That seems to confirm your initial guess.

> The code in pdb_samba_dsdb that owns the OID you use always removes
> this attribute when setting that OID, so you need to as well.

Is there any chance that this could mean I only need to wipe  
'supplementalCredentials' attribute -- I saw that it is possible --  
after set the password with 'ldbmodify'? Unfortunately I can't get  
this tested until tomorrow.

By the way, congratulations guys, you have been doing such an awesome  
job with Samba and all this AD stuff, both coding and supporting.

> Thanks,

Thank you o much, really!

> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.

Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

More information about the samba mailing list