Leonardo Bruno Lopes
2017-Apr-07 20:32 UTC
[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
Hi everyone! I have a LDAP with all my users' accounts, each one with the sambaNTPassaword correctly defined. I also have a freshly installed Samba 4.2 running on a Debian 8.7 box. I followed the instructions described by Steve ThompsSmabon here <https://lists.samba.org/archive/samba/2014-June/182196.html> and I am able to create a Samba 4 domain account ('samba-tool user add ... --random-password ..') and then redefine the password directly using 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python scritp. As you may have noticed, I don't want to ask for the users to type their passwords again, and I want to make sure that LDAP password and Samba domain password are always the same. On a second moment - after all accounts were creates - I will keep it synchronized using a management software. 'smbclient' works (authenticates) normally. The problem is that I can't login into domain from a Windows 7 VM using the user and password I create using the scripts/commands from the thread I linked above. Besides, I can confirm that the 'unicodePwd' value generated by 'samba-tool user setpassword ...' Is the same that the one generated by the Python script (I used 'ldbsearch -H ... unicodePwd' to get the things checked). Is there any other step I should take in order to get Windows logon working normally with the accounts I create that way? Thanks in advance, regards. Leonardo -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.
Rowland Penny
2017-Apr-08 14:40 UTC
[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
On Fri, 07 Apr 2017 20:32:37 +0000 Leonardo Bruno Lopes via samba <samba at lists.samba.org> wrote:> Hi everyone! > > I have a LDAP with all my users' accounts, each one with the > sambaNTPassaword correctly defined. I also have a freshly installed > Samba 4.2 running on a Debian 8.7 box. > > I followed the instructions described by Steve ThompsSmabon here > <https://lists.samba.org/archive/samba/2014-June/182196.html> and I > am able to create a Samba 4 domain account ('samba-tool user add ... > --random-password ..') and then redefine the password directly using > 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python > scritp. > > As you may have noticed, I don't want to ask for the users to type > their passwords again, and I want to make sure that LDAP password and > Samba domain password are always the same. On a second moment - after > all accounts were creates - I will keep it synchronized using a > management software. > > 'smbclient' works (authenticates) normally. The problem is that I > can't login into domain from a Windows 7 VM using the user and > password I create using the scripts/commands from the thread I linked > above. > > Besides, I can confirm that the 'unicodePwd' value generated by > 'samba-tool user setpassword ...' Is the same that the one generated > by the Python script (I used 'ldbsearch -H ... unicodePwd' to get the > things checked). > > Is there any other step I should take in order to get Windows logon > working normally with the accounts I create that way? > > Thanks in advance, regards. > Leonardo >I have never tried this, but from my understanding, what you have posted should work. I wonder if it is just something as simple as the old ldap passwords not being complex enough ? Try running this on the DC: samba-tool domain passwordsettings --complexity=off If this cures the problem, then you have the answer, it is then up to you to decide how to proceed, stay with the old passwords or make your users change them. Rowland
Leonardo Bruno Lopes
2017-Apr-08 16:53 UTC
[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
Thank you so much, Rowland. I disabled the complexity using the command you sugested (just added 'set', I mean, 'samba-tool domain passwordsettings set --complexity=off'). 'smbclient' still works, no surprise here. However I can't test the Windows login right now. For some weird reason I can't open Windows VMs throught VPN. As soon as I have some aditional information I will let you and the list know. About the complexity setting itself, I suppose It turns off the Samba password complexity verification while re/setting passwords. It would not be a problem as the software I (will) use to maintain the accounts already has some complexity rules. I fact, the passwords I have in my LDAP (in the 'sambaNTPassword' attribute) are complex enough to be used by Samba AD. Thanks again! Leonardo Citando Rowland Penny <rpenny at samba.org>:> On Fri, 07 Apr 2017 20:32:37 +0000 > Leonardo Bruno Lopes via samba <samba at lists.samba.org> wrote: > >> Hi everyone! >> >> I have a LDAP with all my users' accounts, each one with the >> sambaNTPassaword correctly defined. I also have a freshly installed >> Samba 4.2 running on a Debian 8.7 box. >> >> I followed the instructions described by Steve Thompson here >> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I >> am able to create a Samba 4 domain account ('samba-tool user add ... >> --random-password ..') and then redefine the password directly using >> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python >> scritp. >> >> As you may have noticed, I don't want to ask for the users to type >> their passwords again, and I want to make sure that LDAP password and >> Samba domain password are always the same. On a second moment - after >> all accounts were created - I will keep it synchronized using a >> management software. >> >> 'smbclient' works (authenticates) normally. The problem is that I >> can't login into domain from a Windows 7 VM using the user and >> password I create using the scripts/commands from the thread I linked >> above. >> >> Besides, I can confirm that the 'unicodePwd' value generated by >> 'samba-tool user setpassword ...' Is the same that the one generated >> by the Python script (I used 'ldbsearch -H ... unicodePwd' to get the >> things checked). >> >> Is there any other step I should take in order to get Windows logon >> working normally with the accounts I create that way? >> >> Thanks in advance, regards. >> Leonardo > > I have never tried this, but from my understanding, what you have > posted should work. I wonder if it is just something as simple as > the old ldap passwords not being complex enough ? > > Try running this on the DC: > > samba-tool domain passwordsettings --complexity=off > > If this cures the problem, then you have the answer, it is then up to > you to decide how to proceed, stay with the old passwords or make your > users change them. > > Rowland > > -- > Esta mensagem foi verificada pelo sistema de antivírus eacredita-se > estar livre de perigo.-- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.
Andrew Bartlett
2017-Apr-08 19:34 UTC
[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba wrote:> Hi everyone! > > I have a LDAP with all my users' accounts, each one with the > sambaNTPassaword correctly defined. I also have a freshly installed > Samba > 4.2 running on a Debian 8.7 box. > > I followed the instructions described by Steve ThompsSmabon here > <https://lists.samba.org/archive/samba/2014-June/182196.html> and I > am able > to create a Samba 4 domain account ('samba-tool user add ... > --random-password ..') and then redefine the password directly using > 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python > scritp. > > As you may have noticed, I don't want to ask for the users to type > their > passwords again, and I want to make sure that LDAP password and Samba > domain password are always the same. On a second moment - after all > accounts were creates - I will keep it synchronized using a > management > software. > > 'smbclient' works (authenticates) normally. The problem is that I > can't > login into domain from a Windows 7 VM using the user and password I > create > using the scripts/commands from the thread I linked above. > > Besides, I can confirm that the 'unicodePwd' value generated by > 'samba-tool > user setpassword ...' Is the same that the one generated by the > Python > script (I used 'ldbsearch -H ... unicodePwd' to get the things > checked). > > Is there any other step I should take in order to get Windows logon > working > normally with the accounts I create that way?My guess is that the Kerberos keys in supplementalCredentials have not been removed. Those are still set to the random password, and windows 7 is using Kerberos. The code in pdb_samba_dsdb that owns the OID you use always removes this attribute when setting that OID, so you need to as well. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Leonardo Bruno Lopes
2017-Apr-09 14:47 UTC
[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
Citando Andrew Bartlett <abartlet at samba.org>:> On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba > wrote: >> Hi everyone! >> >> I have a LDAP with all my users' accounts, each one with the >> sambaNTPassaword correctly defined. I also have a freshly installed >> Samba >> 4.2 running on a Debian 8.7 box. >> >> I followed the instructions described by Steve ThompsSmabon here >> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I >> am able >> to create a Samba 4 domain account ('samba-tool user add ... >> --random-password ..') and then redefine the password directly using >> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python >> scritp. >> >> As you may have noticed, I don't want to ask for the users to type >> their >> passwords again, and I want to make sure that LDAP password and Samba >> domain password are always the same. On a second moment - after all >> accounts were creates - I will keep it synchronized using a >> management >> software. >> >> 'smbclient' works (authenticates) normally. The problem is that I >> can't >> login into domain from a Windows 7 VM using the user and password I >> create >> using the scripts/commands from the thread I linked above. >> >> Besides, I can confirm that the 'unicodePwd' value generated by >> 'samba-tool >> user setpassword ...' Is the same that the one generated by the >> Python >> script (I used 'ldbsearch -H ... unicodePwd' to get the things >> checked). >> >> Is there any other step I should take in order to get Windows logon >> working >> normally with the accounts I create that way? > > My guess is that the Kerberos keys in supplementalCredentials have not > been removed. Those are still set to the random password, and windows > 7 is using Kerberos.Dear Andrew, I confirmed that 'supplementalCredentials' has different values depending on whether I use 'samba-tool' or 'ldbmodify' to set the password. That seems to confirm your initial guess.> The code in pdb_samba_dsdb that owns the OID you use always removes > this attribute when setting that OID, so you need to as well.Is there any chance that this could mean I only need to wipe 'supplementalCredentials' attribute -- I saw that it is possible -- after set the password with 'ldbmodify'? Unfortunately I can't get this tested until tomorrow. By the way, congratulations guys, you have been doing such an awesome job with Samba and all this AD stuff, both coding and supporting.> Thanks,Thank you o much, really! Leonardo> Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > -- > Esta mensagem foi verificada pelo sistema de antivírus e > acredita-se estar livre de perigo.-- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.
Apparently Analagous Threads
- Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
- Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
- Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
- Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
- Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM