[Samba] [Solved] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Leonardo Bruno Lopes leonardo at cefetmg.br
Mon Apr 10 21:24:17 UTC 2017 

Citando Andrew Bartlett <abartlet at samba.org>:

> On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba
> wrote:
>>
>> Dear Andrew,
>>
>> I confirmed that 'supplementalCredentials' has different values  
>> depending on whether I use 'samba-tool' or 'ldbmodify' to set the  
>> password. That seems to confirm your initial guess.
>>
>> > The code in pdb_samba_dsdb that owns the OID you use always removes
>> > this attribute when setting that OID, so you need to as well.
>>
>> Is there any chance that this could mean I only need to wipe  
>> 'supplementalCredentials' attribute -- I saw that it is possible --  
>> after set the password with 'ldbmodify'? Unfortunately I can't get  
>> this tested until tomorrow.
>
> Yes, that is my suggestion.

Dear Andrew,

I tested the solution you suggested and I can confirm that it works.

Here are the use case and the workaround I used, as this can be useful  
to to someone else:

1. I have my users' passwords hashed as 'sambaNTPassword' in a LDAP server.
2. I want to create the users' account in my new Samba 4 AD using the  
'sambaNTPassword' I already have.
3. So I:
   3.1 Create the account with 'samba-tool user add ... --random-password ..'
   3.2 Encode the 'sambaNTPassword' value and put it on the  
'unicodePwd' Samba/LDB attribute using this: (from  
https://lists.samba.org/archive/samba/2014-June/182196.html)

  	#!/usr/bin/env python
  	import base64
  	import binascii
  	import sys
  	ldap_samba_nt_password = sys.argv[1]
  	b64_hash = base64.b64encode(binascii.a2b_hex(ldap_samba_nt_password))
  	print b64_hash

  	# ldbmodify -H /usr/local/samba/private/sam.ldb  
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
  	dn: CN=user,CN=Users,DC=samdom,DC=example,DC=com
  	changetype: modify
  	replace: unicodePwd
  	unicodePwd:: <value from python script>
  	-
  	EOF

   3.3 Finally, I remove the 'supplementalCredentials' Samba/LDB  
attribute using this:
  	# ldbmodify -H /usr/local/samba/private/sam.ldb  
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
  	dn: CN=user,CN=Users,DC=samdom,DC=example,DC=com
  	changetype: modify
         delete: supplementalCredentials
  	-
  	EOF

4. Both the Windows 7 and 10 authenticate perfectly.

Just one more question: what possible security issues may come from  
removing the 'supplementalCredentials' attribute?

And, one more time, lots of thanks!

Leonardo

>
>> By the way, congratulations guys, you have been doing such an
>> awesome  
>> job with Samba and all this AD stuff, both coding and supporting.
>
> Thanks,
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.




-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

More information about the samba mailing list