[Samba] [Solved] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
Leonardo Bruno Lopes
leonardo at cefetmg.br
Mon Apr 10 21:24:17 UTC 2017
Citando Andrew Bartlett <abartlet at samba.org>:
> On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba
> wrote:
>>
>> Dear Andrew,
>>
>> I confirmed that 'supplementalCredentials' has different values
>> depending on whether I use 'samba-tool' or 'ldbmodify' to set the
>> password. That seems to confirm your initial guess.
>>
>> > The code in pdb_samba_dsdb that owns the OID you use always removes
>> > this attribute when setting that OID, so you need to as well.
>>
>> Is there any chance that this could mean I only need to wipe
>> 'supplementalCredentials' attribute -- I saw that it is possible --
>> after set the password with 'ldbmodify'? Unfortunately I can't get
>> this tested until tomorrow.
>
> Yes, that is my suggestion.
Dear Andrew,
I tested the solution you suggested and I can confirm that it works.
Here are the use case and the workaround I used, as this can be useful
to to someone else:
1. I have my users' passwords hashed as 'sambaNTPassword' in a LDAP server.
2. I want to create the users' account in my new Samba 4 AD using the
'sambaNTPassword' I already have.
3. So I:
3.1 Create the account with 'samba-tool user add ... --random-password ..'
3.2 Encode the 'sambaNTPassword' value and put it on the
'unicodePwd' Samba/LDB attribute using this: (from
https://lists.samba.org/archive/samba/2014-June/182196.html)
#!/usr/bin/env python
import base64
import binascii
import sys
ldap_samba_nt_password = sys.argv[1]
b64_hash = base64.b64encode(binascii.a2b_hex(ldap_samba_nt_password))
print b64_hash
# ldbmodify -H /usr/local/samba/private/sam.ldb
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
dn: CN=user,CN=Users,DC=samdom,DC=example,DC=com
changetype: modify
replace: unicodePwd
unicodePwd:: <value from python script>
-
EOF
3.3 Finally, I remove the 'supplementalCredentials' Samba/LDB
attribute using this:
# ldbmodify -H /usr/local/samba/private/sam.ldb
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
dn: CN=user,CN=Users,DC=samdom,DC=example,DC=com
changetype: modify
delete: supplementalCredentials
-
EOF
4. Both the Windows 7 and 10 authenticate perfectly.
Just one more question: what possible security issues may come from
removing the 'supplementalCredentials' attribute?
And, one more time, lots of thanks!
Leonardo
>
>> By the way, congratulations guys, you have been doing such an
>> awesome
>> job with Samba and all this AD stuff, both coding and supporting.
>
> Thanks,
>
> Andrew Bartlett
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
>
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
> acredita-se estar livre de perigo.
--
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.
More information about the samba
mailing list