Web lists-archives.com

Re: [Samba] [Solved] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM




Citando Andrew Bartlett <abartlet@xxxxxxxxx>:

On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba
wrote:

Dear Andrew,

I confirmed that 'supplementalCredentials' has different values  
depending on whether I use 'samba-tool' or 'ldbmodify' to set the  
password. That seems to confirm your initial guess.

> The code in pdb_samba_dsdb that owns the OID you use always removes
> this attribute when setting that OID, so you need to as well.

Is there any chance that this could mean I only need to wipe  
'supplementalCredentials' attribute -- I saw that it is possible --  
after set the password with 'ldbmodify'? Unfortunately I can't get  
this tested until tomorrow.

Yes, that is my suggestion.

Dear Andrew,

I tested the solution you suggested and I can confirm that it works.

Here are the use case and the workaround I used, as this can be useful to to someone else:

1. I have my users' passwords hashed as 'sambaNTPassword' in a LDAP server.
2. I want to create the users' account in my new Samba 4 AD using the 'sambaNTPassword' I already have.
3. So I:
  3.1 Create the account with 'samba-tool user add ... --random-password ..'
3.2 Encode the 'sambaNTPassword' value and put it on the 'unicodePwd' Samba/LDB attribute using this: (from https://lists.samba.org/archive/samba/2014-June/182196.html)

 	#!/usr/bin/env python
 	import base64
 	import binascii
 	import sys
 	ldap_samba_nt_password = sys.argv[1]
 	b64_hash = base64.b64encode(binascii.a2b_hex(ldap_samba_nt_password))
 	print b64_hash

# ldbmodify -H /usr/local/samba/private/sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
 	dn: CN=user,CN=Users,DC=samdom,DC=example,DC=com
 	changetype: modify
 	replace: unicodePwd
 	unicodePwd:: <value from python script>
 	-
 	EOF

3.3 Finally, I remove the 'supplementalCredentials' Samba/LDB attribute using this: # ldbmodify -H /usr/local/samba/private/sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
 	dn: CN=user,CN=Users,DC=samdom,DC=example,DC=com
 	changetype: modify
        delete: supplementalCredentials
 	-
 	EOF

4. Both the Windows 7 and 10 authenticate perfectly.

Just one more question: what possible security issues may come from removing the 'supplementalCredentials' attribute?

And, one more time, lots of thanks!

Leonardo


By the way, congratulations guys, you have been doing such an
awesome  
job with Samba and all this AD stuff, both coding and supporting.

Thanks,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.




--
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba