roudoudou
2008-Sep-08 03:48 UTC
[Samba] wrong userPassword hash generated by smbpasswd (pam_password=exop and smbk5pwd ) on a samba+ldap PDC running on FreeBSD
Hello everybody, I've setup a SAMBA 3.0.X (3.0.32 right now) PDC with a LDAP backend running on FreeBSD 6.3 some time ago and users can't just login on unix box when the password their password, modified from Windows, include non-ascii character (such as french letter like "?" for example) I guess that they must some kind of charset issue but i just don't know how to debug this issue :-/ So would be thankful to anyone who could help me on this issue I post here the information i've collected so far, hoping that they are relevant...It seems that everything works fine when using smbldap-passwd instead of smbpasswd for modifying unix/windows password ?! Thanks ! -- # locale LANG=fr_FR.ISO8859-15 LC_CTYPE="fr_FR.ISO8859-15" LC_COLLATE="fr_FR.ISO8859-15" LC_TIME="fr_FR.ISO8859-15" LC_NUMERIC="fr_FR.ISO8859-15" LC_MONETARY="fr_FR.ISO8859-15" LC_MESSAGES="fr_FR.ISO8859-15" LC_ALL # smbpasswd testuser (#password here is "mdp") New SMB password: Retype new SMB password: # smbldap-usershow testuser dn: (...) (...) shadowLastChange: 14130 userPassword: {CRYPT}$1$lehDK9Nt$cIXRIoy4LWQJSXtzCmwyB1 sambaPwdLastSet: 1220843814 sambaLMPassword: 468f587067043edcaad3b435b51404ee sambaNTPassword: 97c438f12af3ffc2f22bedc986962e6b # openssl passwd -1 -salt 'lehDK9Nt' Password: (input "mdp" as password) $1$lehDK9Nt$cIXRIoy4LWQJSXtzCmwyB1 # smbclient -U testuser -L mypdc Password: (...) testuser Disk Dossiers des utilisateurs du domaine # Si everything is ok when using a password with only ascii char -- But if the user ever add a extended ascii character such as "?", the userPassword has generated is wrong and the user can no longer login on a unix box (windows login works fine): -- # smbpasswd testuser (#password here is "mdp?") New SMB password: Retype new SMB password: # smbldap-usershow testuser dn: (...) (...) shadowLastChange: 14130 userPassword: {CRYPT}$1$w8UpPdhA$GjVBkGHTMmMMangBh8bqN0 sambaPwdLastSet: 1220844214 sambaLMPassword: 95bbbebfe631db91aad3b435b51404ee sambaNTPassword: 0ffc151c0c48e8dc9e64e224dc080c6a # openssl passwd -1 -salt 'w8UpPdhA' Password: (input "mdp?" as password) $1$w8UpPdhA$Ykv5oOAYnTQknCjVF5kJc1 (the hash generated by smbpasswd is different than the one generated by openssl -1 despite using the same salt string) # smbclient -U testuser -L mypdc (but windows login still works fine) Password: (...) testuser Disk Dossiers des utilisateurs du domaine # I'm just wondering why smbpasswd generate a wrong has whenever there's a non-ascii character part of the password ?? -- Here is part of the samba+ldap config: -- /usr/local/etc/nss_ldap.conf: -- * ls -l /usr/local/etc/ldap.conf /usr/local/etc/ldap.conf -> nss_ldap.conf * Excerpt from the nss_ldap.conf file pam_password clear pam_password exop nss_base_passwd ou=People,dc=XXXX?one nss_base_passwd ou=Hosts,dc=XXXX?one nss_base_shadow ou=People,dc=XXXX?one nss_base_group ou=Group,dc=XXXX?one ssl start_tls tls_checkpeer yes -- /usr/local/etc/openldap/slapd.conf (the ldap server is on another box): -- moduleload smbk5pwd.so security tls=1 password-hash {CRYPT} password-crypt-salt-format "$1$%.8s" database bdb #(...) overlay smbk5pwd --
Reasonably Related Threads
- Overlays syncrepl and smbk5pwd
- pGINA and samba - authentication against LDAP userPassword field?
- exop vs md5
- LDAP Account Manager 6.5.RC1 with LDAP EXOP password change and dynamic directory services
- LDAP Account Manager 6.5 with LDAP EXOP password change and dynamic directory services