roudoudou
2008-Sep-08 03:48 UTC
[Samba] wrong userPassword hash generated by smbpasswd (pam_password=exop and smbk5pwd ) on a samba+ldap PDC running on FreeBSD
Hello everybody,
I've setup a SAMBA 3.0.X (3.0.32 right now) PDC with a LDAP backend
running on FreeBSD 6.3 some time ago and users can't just
login on unix box when the password their password, modified from
Windows, include non-ascii character (such as french letter like "?"
for example)
I guess that they must some kind of charset issue but i just don't
know how to debug this issue :-/ So would be thankful to anyone who
could help me on this issue
I post here the information i've collected so far, hoping that they
are relevant...It seems that everything works fine when using
smbldap-passwd instead of smbpasswd for modifying unix/windows
password ?!
Thanks !
--
# locale
LANG=fr_FR.ISO8859-15
LC_CTYPE="fr_FR.ISO8859-15"
LC_COLLATE="fr_FR.ISO8859-15"
LC_TIME="fr_FR.ISO8859-15"
LC_NUMERIC="fr_FR.ISO8859-15"
LC_MONETARY="fr_FR.ISO8859-15"
LC_MESSAGES="fr_FR.ISO8859-15"
LC_ALL
# smbpasswd testuser (#password here is "mdp")
New SMB password:
Retype new SMB password:
# smbldap-usershow testuser
dn: (...)
(...)
shadowLastChange: 14130
userPassword: {CRYPT}$1$lehDK9Nt$cIXRIoy4LWQJSXtzCmwyB1
sambaPwdLastSet: 1220843814
sambaLMPassword: 468f587067043edcaad3b435b51404ee
sambaNTPassword: 97c438f12af3ffc2f22bedc986962e6b
# openssl passwd -1 -salt 'lehDK9Nt'
Password: (input "mdp" as password)
$1$lehDK9Nt$cIXRIoy4LWQJSXtzCmwyB1
# smbclient -U testuser -L mypdc
Password:
(...)
testuser Disk Dossiers des utilisateurs du domaine
#
Si everything is ok when using a password with only ascii char
--
But if the user ever add a extended ascii character such as "?", the
userPassword has generated is
wrong and the user can no longer login on a unix box (windows login works fine):
--
# smbpasswd testuser (#password here is "mdp?")
New SMB password:
Retype new SMB password:
# smbldap-usershow testuser
dn: (...)
(...)
shadowLastChange: 14130
userPassword: {CRYPT}$1$w8UpPdhA$GjVBkGHTMmMMangBh8bqN0
sambaPwdLastSet: 1220844214
sambaLMPassword: 95bbbebfe631db91aad3b435b51404ee
sambaNTPassword: 0ffc151c0c48e8dc9e64e224dc080c6a
# openssl passwd -1 -salt 'w8UpPdhA'
Password: (input "mdp?" as password)
$1$w8UpPdhA$Ykv5oOAYnTQknCjVF5kJc1 (the hash generated by smbpasswd
is different than the one generated by openssl -1 despite using the
same salt string)
# smbclient -U testuser -L mypdc (but windows login still works fine)
Password:
(...)
testuser Disk Dossiers des utilisateurs du domaine
#
I'm just wondering why smbpasswd generate a wrong has whenever there's
a non-ascii character part of the password ??
--
Here is part of the samba+ldap config:
--
/usr/local/etc/nss_ldap.conf:
--
* ls -l /usr/local/etc/ldap.conf
/usr/local/etc/ldap.conf -> nss_ldap.conf
* Excerpt from the nss_ldap.conf file
pam_password clear
pam_password exop
nss_base_passwd ou=People,dc=XXXX?one
nss_base_passwd ou=Hosts,dc=XXXX?one
nss_base_shadow ou=People,dc=XXXX?one
nss_base_group ou=Group,dc=XXXX?one
ssl start_tls
tls_checkpeer yes
--
/usr/local/etc/openldap/slapd.conf (the ldap server is on another box):
--
moduleload smbk5pwd.so
security tls=1
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"
database bdb
#(...)
overlay smbk5pwd
--
Possibly Parallel Threads
- Overlays syncrepl and smbk5pwd
- pGINA and samba - authentication against LDAP userPassword field?
- exop vs md5
- LDAP Account Manager 6.5.RC1 with LDAP EXOP password change and dynamic directory services
- LDAP Account Manager 6.5 with LDAP EXOP password change and dynamic directory services
Wisdom of the Ancients
