Re: [Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
- Date: Sun, 09 Apr 2017 07:34:30 +1200
- From: Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba
> Hi everyone!
> I have a LDAP with all my users' accounts, each one with the
> sambaNTPassaword correctly defined. I also have a freshly installed
> 4.2 running on a Debian 8.7 box.
> I followed the instructions described by Steve ThompsSmabon here
> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
> am able
> to create a Samba 4 domain account ('samba-tool user add ...
> --random-password ..') and then redefine the password directly using
> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
> As you may have noticed, I don't want to ask for the users to type
> passwords again, and I want to make sure that LDAP password and Samba
> domain password are always the same. On a second moment - after all
> accounts were creates - I will keep it synchronized using a
> 'smbclient' works (authenticates) normally. The problem is that I
> login into domain from a Windows 7 VM using the user and password I
> using the scripts/commands from the thread I linked above.
> Besides, I can confirm that the 'unicodePwd' value generated by
> user setpassword ...' Is the same that the one generated by the
> script (I used 'ldbsearch -H ... unicodePwd' to get the things
> Is there any other step I should take in order to get Windows logon
> normally with the accounts I create that way?
My guess is that the Kerberos keys in supplementalCredentials have not
been removed. Those are still set to the random password, and windows
7 is using Kerberos.
The code in pdb_samba_dsdb that owns the OID you use always removes
this attribute when setting that OID, so you need to as well.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
To unsubscribe from this list go to the following URL and read the