Web lists-archives.com

Re: [Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM




Citando Andrew Bartlett <abartlet@xxxxxxxxx>:

On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba
wrote:
Hi everyone!

I have a LDAP with all my users' accounts, each one with the
sambaNTPassaword correctly defined. I also have a freshly installed
Samba
4.2 running on a Debian 8.7 box.

I followed the instructions described by Steve ThompsSmabon here
<https://lists.samba.org/archive/samba/2014-June/182196.html> and I
am able
to create a Samba 4 domain account ('samba-tool user add ...
--random-password ..') and then redefine the password directly using
'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
scritp.

As you may have noticed, I don't want to ask for the users to type
their
passwords again, and I want to make sure that LDAP password and Samba
domain password are always the same. On a second moment - after all
accounts were creates - I will keep it synchronized using a
management
software.

'smbclient' works (authenticates) normally. The problem is that I
can't
login into domain from a Windows 7 VM using the user and password I
create
using the scripts/commands from the thread I linked above.

Besides, I can confirm that the 'unicodePwd' value generated by
'samba-tool
user setpassword ...' Is the same that the one generated by the
Python
script (I used 'ldbsearch -H ... unicodePwd' to get the things
checked).

Is there any other step I should take in order to get Windows logon
working
normally with the accounts I create that way?

My guess is that the Kerberos keys in supplementalCredentials have not
been removed.  Those are still set to the random password, and windows
7 is using Kerberos.

Dear Andrew,

I confirmed that 'supplementalCredentials' has different values depending on whether I use 'samba-tool' or 'ldbmodify' to set the password. That seems to confirm your initial guess.

The code in pdb_samba_dsdb that owns the OID you use always removes
this attribute when setting that OID, so you need to as well.

Is there any chance that this could mean I only need to wipe 'supplementalCredentials' attribute -- I saw that it is possible -- after set the password with 'ldbmodify'? Unfortunately I can't get this tested until tomorrow.

By the way, congratulations guys, you have been doing such an awesome job with Samba and all this AD stuff, both coding and supporting.

Thanks,

Thank you o much, really!
Leonardo

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.




--
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba