samba - Apr 2017 - Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Dean Andrew and List,

I posted here  
 >>https://lists.samba.org/archive/samba/2017-April/207671.html<<
that
my problem was solved, but I have the following question:

What is the possible security issues that may come from removing the  
'supplementalCredentials' attribute?

Thanks,
Leonardo


Citando Andrew Bartlett <abartlet at samba.org>:
> On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba
> wrote:
>>
>> Dear Andrew,
>>
>> I confirmed that 'supplementalCredentials' has different
values  
>> depending on whether I use 'samba-tool' or 'ldbmodify'
to set the  
>> password. That seems to confirm your initial guess.
>>
>> > The code in pdb_samba_dsdb that owns the OID you use always
removes
>> > this attribute when setting that OID, so you need to as well.
>>
>> Is there any chance that this could mean I only need to wipe  
>> 'supplementalCredentials' attribute -- I saw that it is
possible --  
>> after set the password with 'ldbmodify'? Unfortunately I
can't get  
>> this tested until tomorrow.
>
> Yes, that is my suggestion.
>
>> By the way, congratulations guys, you have been doing such an
>> awesome  
>> job with Samba and all this AD stuff, both coding and supporting.
>
> Thanks,
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.



-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

On Wed, 2017-04-12 at 20:31 +0000, Leonardo Bruno Lopes
wrote:
> Dean Andrew and List,
> 
> I posted here  
>
 >>https://lists.samba.org/archive/samba/2017-April/207671.html<<;
> that  
> my problem was solved, but I have the following question:
> 
> What is the possible security issues that may come from removing
> the  
> 'supplementalCredentials' attribute?
> 
> Thanks,
> Leonardo
The KDC will no longer be able to issue AES encrypted tickets, just as
if you had just upgraded from a NT4-like/classic Samba domain.

Otherwise nothing too drastic at this time, but we might start storing
more information there in the future, which is why this is an internal
control not really intended for external use. 

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

Citando Andrew Bartlett via samba <samba at lists.samba.org>:
> On Wed, 2017-04-12 at 20:31 +0000, Leonardo Bruno Lopes wrote:
>> Dean Andrew and List,
>>
>> I posted here  
>>
 >>https://lists.samba.org/archive/samba/2017-April/207671.html<<;
>> that  
>> my problem was solved, but I have the following question:
>>
>> What is the possible security issues that may come from removing
>> the  
>> 'supplementalCredentials' attribute?
>>
>> Thanks,
>> Leonardo
>
> The KDC will no longer be able to issue AES encrypted tickets, just as
> if you had just upgraded from a NT4-like/classic Samba domain.
>
> Otherwise nothing too drastic at this time, but we might start storing
> more information there in the future, which is why this is an internal
> control not really intended for external use.
Hi Andrew.

My password policy forces users to change their passwords every 12 months.

So we hope soon the get this to the 'most correct use'.

Thank you so much.

Regards,
Leonardor
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.



-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.