Web lists-archives.com

Re: [Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM




 Thank you so much, Rowland.

I disabled the complexity using the command you sugested (just added 'set',
I mean, 'samba-tool domain passwordsettings set --complexity=off').

'smbclient' still works, no surprise here. However I can't test the Windows
login right now. For some weird reason I can't open Windows VMs throught
VPN. As soon as I have some aditional information I will let you and the
list know.

About the complexity setting itself, I suppose It turns off the Samba
password complexity verification while re/setting passwords. It would not
be a problem as the software I (will) use to maintain the accounts already
has some complexity rules. I fact, the passwords I have in my LDAP (in the
'sambaNTPassword' attribute) are complex enough to be used by Samba AD.

Thanks again!
Leonardo

Citando Rowland Penny <rpenny@xxxxxxxxx>:

On Fri, 07 Apr 2017 20:32:37 +0000
Leonardo Bruno Lopes via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi everyone!

I have a LDAP with all my users' accounts, each one with the
sambaNTPassaword correctly defined. I also have a freshly installed
Samba 4.2 running on a Debian 8.7 box.

I followed the instructions described by Steve Thompson here
<https://lists.samba.org/archive/samba/2014-June/182196.html> and I
am able to create a Samba 4 domain account ('samba-tool user add ...
--random-password ..') and then redefine the password directly using
'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
scritp.

As you may have noticed, I don't want to ask for the users to type
their passwords again, and I want to make sure that LDAP password and
Samba domain password are always the same. On a second moment - after
all accounts were created - I will keep it synchronized using a
management software.

'smbclient' works (authenticates) normally. The problem is that I
can't login into domain from a Windows 7 VM using the user and
password I create using the scripts/commands from the thread I linked
above.

Besides, I can confirm that the 'unicodePwd' value generated by
'samba-tool user setpassword ...' Is the same that the one generated
by the Python script (I used 'ldbsearch -H ... unicodePwd' to get the
things checked).

Is there any other step I should take in order to get Windows logon
working normally with the accounts I create that way?

Thanks in advance, regards.
Leonardo

I have never tried this, but from my understanding, what you have
posted should work. I wonder if it is just something as simple as
the old ldap passwords not being complex enough ?

Try running this on the DC:

samba-tool domain passwordsettings --complexity=off

If this cures the problem, then you have the answer, it is then up to
you to decide how to proceed, stay with the old passwords or make your
users change them.

Rowland

--
Esta mensagem foi verificada pelo sistema de antivírus eacredita-se
estar livre de perigo.

--
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba