Leonardo Bruno Lopes
2017-Apr-09 14:47 UTC
[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
Citando Andrew Bartlett <abartlet at samba.org>:> On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba > wrote: >> Hi everyone! >> >> I have a LDAP with all my users' accounts, each one with the >> sambaNTPassaword correctly defined. I also have a freshly installed >> Samba >> 4.2 running on a Debian 8.7 box. >> >> I followed the instructions described by Steve ThompsSmabon here >> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I >> am able >> to create a Samba 4 domain account ('samba-tool user add ... >> --random-password ..') and then redefine the password directly using >> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python >> scritp. >> >> As you may have noticed, I don't want to ask for the users to type >> their >> passwords again, and I want to make sure that LDAP password and Samba >> domain password are always the same. On a second moment - after all >> accounts were creates - I will keep it synchronized using a >> management >> software. >> >> 'smbclient' works (authenticates) normally. The problem is that I >> can't >> login into domain from a Windows 7 VM using the user and password I >> create >> using the scripts/commands from the thread I linked above. >> >> Besides, I can confirm that the 'unicodePwd' value generated by >> 'samba-tool >> user setpassword ...' Is the same that the one generated by the >> Python >> script (I used 'ldbsearch -H ... unicodePwd' to get the things >> checked). >> >> Is there any other step I should take in order to get Windows logon >> working >> normally with the accounts I create that way? > > My guess is that the Kerberos keys in supplementalCredentials have not > been removed. Those are still set to the random password, and windows > 7 is using Kerberos.Dear Andrew, I confirmed that 'supplementalCredentials' has different values depending on whether I use 'samba-tool' or 'ldbmodify' to set the password. That seems to confirm your initial guess.> The code in pdb_samba_dsdb that owns the OID you use always removes > this attribute when setting that OID, so you need to as well.Is there any chance that this could mean I only need to wipe 'supplementalCredentials' attribute -- I saw that it is possible -- after set the password with 'ldbmodify'? Unfortunately I can't get this tested until tomorrow. By the way, congratulations guys, you have been doing such an awesome job with Samba and all this AD stuff, both coding and supporting.> Thanks,Thank you o much, really! Leonardo> Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > -- > Esta mensagem foi verificada pelo sistema de antivírus e > acredita-se estar livre de perigo.-- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.
Rowland Penny
2017-Apr-09 15:12 UTC
[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
On Sun, 09 Apr 2017 14:47:59 +0000 Leonardo Bruno Lopes via samba <samba at lists.samba.org> wrote:> Is there any chance that this could mean I only need to wipe > 'supplementalCredentials' attribute -- I saw that it is possible -- > after set the password with 'ldbmodify'? Unfortunately I can't get > this tested until tomorrow. >try using something like this in your script: ldbmodify -H /usr/local/samba/private/sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF dn: CN=User,CN=Users,DC=samdom,DC=example,DC=com changetype: modify replace: unicodePwd unicodePwd:: xxxxxxxxxxxxxxxxxxxxxxxx - EOF Making the obvious changes of course ;-) Rowland
Leonardo Bruno Lopes
2017-Apr-09 19:15 UTC
[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
Citando Rowland Penny via samba <samba at lists.samba.org>:> On Sun, 09 Apr 2017 14:47:59 +0000 > Leonardo Bruno Lopes via samba <samba at lists.samba.org> wrote: > > > >> Is there any chance that this could mean I only need to wipe >> 'supplementalCredentials' attribute -- I saw that it is possible -- >> after set the password with 'ldbmodify'? Unfortunately I can't get >> this tested until tomorrow. >> > > try using something like this in your script: > > ldbmodify -H /usr/local/samba/private/sam.ldb > --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF > dn: CN=User,CN=Users,DC=samdom,DC=example,DC=com > changetype: modify > replace: unicodePwd > unicodePwd:: xxxxxxxxxxxxxxxxxxxxxxxx > - > EOF > > Making the obvious changes of course ;-)Yes, that is exactly what I did. But I haven't tested yet if this solves the Windows login problem. Anyway, thank you so much :D> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > Esta mensagem foi verificada pelo sistema de antivírus e > acredita-se estar livre de perigo.-- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.
Andrew Bartlett
2017-Apr-09 19:29 UTC
[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba wrote:> > Dear Andrew, > > I confirmed that 'supplementalCredentials' has different values > depending on whether I use 'samba-tool' or 'ldbmodify' to set the > password. That seems to confirm your initial guess. > > > The code in pdb_samba_dsdb that owns the OID you use always removes > > this attribute when setting that OID, so you need to as well. > > Is there any chance that this could mean I only need to wipe > 'supplementalCredentials' attribute -- I saw that it is possible -- > after set the password with 'ldbmodify'? Unfortunately I can't get > this tested until tomorrow.Yes, that is my suggestion.> By the way, congratulations guys, you have been doing such an > awesome > job with Samba and all this AD stuff, both coding and supporting.Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Andrew Bartlett
2017-Apr-09 19:31 UTC
[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
On Sun, 2017-04-09 at 16:12 +0100, Rowland Penny via samba wrote:> On Sun, 09 Apr 2017 14:47:59 +0000 > Leonardo Bruno Lopes via samba <samba at lists.samba.org> wrote: > > > > > Is there any chance that this could mean I only need to wipe > > 'supplementalCredentials' attribute -- I saw that it is possible > > -- > > after set the password with 'ldbmodify'? Unfortunately I can't > > get > > this tested until tomorrow. > > > > try using something like this in your script:More like: ldbmodify -H /usr/local/samba/private/sam.ldb -- controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF dn: CN=User,CN=Users,DC=samdom,DC=example,DC=com changetype: modify replace: unicodePwd unicodePwd:: xxxxxxxxxxxxxxxxxxxxxxxx delete: supplementalCredentials - EOF Should do it. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Leonardo Bruno Lopes
2017-Apr-10 21:24 UTC
[Samba] [Solved] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
Citando Andrew Bartlett <abartlet at samba.org>:> On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba > wrote: >> >> Dear Andrew, >> >> I confirmed that 'supplementalCredentials' has different values >> depending on whether I use 'samba-tool' or 'ldbmodify' to set the >> password. That seems to confirm your initial guess. >> >> > The code in pdb_samba_dsdb that owns the OID you use always removes >> > this attribute when setting that OID, so you need to as well. >> >> Is there any chance that this could mean I only need to wipe >> 'supplementalCredentials' attribute -- I saw that it is possible -- >> after set the password with 'ldbmodify'? Unfortunately I can't get >> this tested until tomorrow. > > Yes, that is my suggestion.Dear Andrew, I tested the solution you suggested and I can confirm that it works. Here are the use case and the workaround I used, as this can be useful to to someone else: 1. I have my users' passwords hashed as 'sambaNTPassword' in a LDAP server. 2. I want to create the users' account in my new Samba 4 AD using the 'sambaNTPassword' I already have. 3. So I: 3.1 Create the account with 'samba-tool user add ... --random-password ..' 3.2 Encode the 'sambaNTPassword' value and put it on the 'unicodePwd' Samba/LDB attribute using this: (from https://lists.samba.org/archive/samba/2014-June/182196.html) #!/usr/bin/env python import base64 import binascii import sys ldap_samba_nt_password = sys.argv[1] b64_hash = base64.b64encode(binascii.a2b_hex(ldap_samba_nt_password)) print b64_hash # ldbmodify -H /usr/local/samba/private/sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF dn: CN=user,CN=Users,DC=samdom,DC=example,DC=com changetype: modify replace: unicodePwd unicodePwd:: <value from python script> - EOF 3.3 Finally, I remove the 'supplementalCredentials' Samba/LDB attribute using this: # ldbmodify -H /usr/local/samba/private/sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF dn: CN=user,CN=Users,DC=samdom,DC=example,DC=com changetype: modify delete: supplementalCredentials - EOF 4. Both the Windows 7 and 10 authenticate perfectly. Just one more question: what possible security issues may come from removing the 'supplementalCredentials' attribute? And, one more time, lots of thanks! Leonardo> >> By the way, congratulations guys, you have been doing such an >> awesome >> job with Samba and all this AD stuff, both coding and supporting. > > Thanks, > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > -- > Esta mensagem foi verificada pelo sistema de antivírus e > acredita-se estar livre de perigo.-- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.
Leonardo Bruno Lopes
2017-Apr-12 20:31 UTC
[Samba] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
Dean Andrew and List, I posted here >>https://lists.samba.org/archive/samba/2017-April/207671.html<< that my problem was solved, but I have the following question: What is the possible security issues that may come from removing the 'supplementalCredentials' attribute? Thanks, Leonardo Citando Andrew Bartlett <abartlet at samba.org>:> On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba > wrote: >> >> Dear Andrew, >> >> I confirmed that 'supplementalCredentials' has different values >> depending on whether I use 'samba-tool' or 'ldbmodify' to set the >> password. That seems to confirm your initial guess. >> >> > The code in pdb_samba_dsdb that owns the OID you use always removes >> > this attribute when setting that OID, so you need to as well. >> >> Is there any chance that this could mean I only need to wipe >> 'supplementalCredentials' attribute -- I saw that it is possible -- >> after set the password with 'ldbmodify'? Unfortunately I can't get >> this tested until tomorrow. > > Yes, that is my suggestion. > >> By the way, congratulations guys, you have been doing such an >> awesome >> job with Samba and all this AD stuff, both coding and supporting. > > Thanks, > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > -- > Esta mensagem foi verificada pelo sistema de antivírus e > acredita-se estar livre de perigo.-- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.