Web lists-archives.com

Re: [Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Citando Andrew Bartlett <abartlet@xxxxxxxxx>:

On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba
Hi everyone!

I have a LDAP with all my users' accounts, each one with the
sambaNTPassaword correctly defined. I also have a freshly installed
4.2 running on a Debian 8.7 box.

I followed the instructions described by Steve ThompsSmabon here
<https://lists.samba.org/archive/samba/2014-June/182196.html> and I
am able
to create a Samba 4 domain account ('samba-tool user add ...
--random-password ..') and then redefine the password directly using
'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python

As you may have noticed, I don't want to ask for the users to type
passwords again, and I want to make sure that LDAP password and Samba
domain password are always the same. On a second moment - after all
accounts were creates - I will keep it synchronized using a

'smbclient' works (authenticates) normally. The problem is that I
login into domain from a Windows 7 VM using the user and password I
using the scripts/commands from the thread I linked above.

Besides, I can confirm that the 'unicodePwd' value generated by
user setpassword ...' Is the same that the one generated by the
script (I used 'ldbsearch -H ... unicodePwd' to get the things

Is there any other step I should take in order to get Windows logon
normally with the accounts I create that way?

My guess is that the Kerberos keys in supplementalCredentials have not
been removed.  Those are still set to the random password, and windows
7 is using Kerberos.

Dear Andrew,

I confirmed that 'supplementalCredentials' has different values depending on whether I use 'samba-tool' or 'ldbmodify' to set the password. That seems to confirm your initial guess.

The code in pdb_samba_dsdb that owns the OID you use always removes
this attribute when setting that OID, so you need to as well.

Is there any chance that this could mean I only need to wipe 'supplementalCredentials' attribute -- I saw that it is possible -- after set the password with 'ldbmodify'? Unfortunately I can't get this tested until tomorrow.

By the way, congratulations guys, you have been doing such an awesome job with Samba and all this AD stuff, both coding and supporting.


Thank you o much, really!

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba