Web lists-archives.com

Re: [Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM




On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba
wrote:
> Hi everyone!
> 
> I have a LDAP with all my users' accounts, each one with the
> sambaNTPassaword correctly defined. I also have a freshly installed
> Samba
> 4.2 running on a Debian 8.7 box.
> 
> I followed the instructions described by Steve ThompsSmabon here
> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
> am able
> to create a Samba 4 domain account ('samba-tool user add ...
> --random-password ..') and then redefine the password directly using
> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
> scritp.
> 
> As you may have noticed, I don't want to ask for the users to type
> their
> passwords again, and I want to make sure that LDAP password and Samba
> domain password are always the same. On a second moment - after all
> accounts were creates - I will keep it synchronized using a
> management
> software.
> 
> 'smbclient' works (authenticates) normally. The problem is that I
> can't
> login into domain from a Windows 7 VM using the user and password I
> create
> using the scripts/commands from the thread I linked above.
> 
> Besides, I can confirm that the 'unicodePwd' value generated by
> 'samba-tool
> user setpassword ...' Is the same that the one generated by the
> Python
> script (I used 'ldbsearch -H ... unicodePwd' to get the things
> checked).
> 
> Is there any other step I should take in order to get Windows logon
> working
> normally with the accounts I create that way?

My guess is that the Kerberos keys in supplementalCredentials have not
been removed.  Those are still set to the random password, and windows
7 is using Kerberos.

The code in pdb_samba_dsdb that owns the OID you use always removes
this attribute when setting that OID, so you need to as well. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba