Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
Hi everyone!

I have a LDAP with all my users' accounts, each one with the
sambaNTPassaword correctly defined. I also have a freshly installed Samba
4.2 running on a Debian 8.7 box.

I followed the instructions described by Steve ThompsSmabon here
<https://lists.samba.org/archive/samba/2014-June/182196.html> and I am able
to create a Samba 4 domain account ('samba-tool user add ...
--random-password ..') and then redefine the password directly using
'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python scritp.

As you may have noticed, I don't want to ask for the users to type their
passwords again, and I want to make sure that LDAP password and Samba
domain password are always the same. On a second moment - after all
accounts were creates - I will keep it synchronized using a management
software.

'smbclient' works (authenticates) normally. The problem is that I can't
login into domain from a Windows 7 VM using the user and password I create
using the scripts/commands from the thread I linked above.

Besides, I can confirm that the 'unicodePwd' value generated by 'samba-tool
user setpassword ...' Is the same that the one generated by the Python
script (I used 'ldbsearch -H ... unicodePwd' to get the things checked).

Is there any other step I should take in order to get Windows logon working
normally with the accounts I create that way?

Thanks in advance, regards.
Leonardo

--
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
On Fri, 07 Apr 2017 20:32:37 +0000
Leonardo Bruno Lopes via samba <[hidden email]> wrote:

> Hi everyone!
>
> I have a LDAP with all my users' accounts, each one with the
> sambaNTPassaword correctly defined. I also have a freshly installed
> Samba 4.2 running on a Debian 8.7 box.
>
> I followed the instructions described by Steve ThompsSmabon here
> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
> am able to create a Samba 4 domain account ('samba-tool user add ...
> --random-password ..') and then redefine the password directly using
> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
> scritp.
>
> As you may have noticed, I don't want to ask for the users to type
> their passwords again, and I want to make sure that LDAP password and
> Samba domain password are always the same. On a second moment - after
> all accounts were creates - I will keep it synchronized using a
> management software.
>
> 'smbclient' works (authenticates) normally. The problem is that I
> can't login into domain from a Windows 7 VM using the user and
> password I create using the scripts/commands from the thread I linked
> above.
>
> Besides, I can confirm that the 'unicodePwd' value generated by
> 'samba-tool user setpassword ...' Is the same that the one generated
> by the Python script (I used 'ldbsearch -H ... unicodePwd' to get the
> things checked).
>
> Is there any other step I should take in order to get Windows logon
> working normally with the accounts I create that way?
>
> Thanks in advance, regards.
> Leonardo
>

I have never tried this, but from my understanding, what you have
posted should work. I wonder if it is just something as simple as
the old ldap passwords not being complex enough ?

Try running this on the DC:

samba-tool domain passwordsettings --complexity=off

If this cures the problem, then you have the answer, it is then up to
you to decide how to proceed, stay with the old passwords or make your
users change them.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
  Thank you so much, Rowland.

I disabled the complexity using the command you sugested (just added 'set',
I mean, 'samba-tool domain passwordsettings set --complexity=off').

'smbclient' still works, no surprise here. However I can't test the Windows
login right now. For some weird reason I can't open Windows VMs throught
VPN. As soon as I have some aditional information I will let you and the
list know.

About the complexity setting itself, I suppose It turns off the Samba
password complexity verification while re/setting passwords. It would not
be a problem as the software I (will) use to maintain the accounts already
has some complexity rules. I fact, the passwords I have in my LDAP (in the
'sambaNTPassword' attribute) are complex enough to be used by Samba AD.

Thanks again!
Leonardo

Citando Rowland Penny <[hidden email]>:

> On Fri, 07 Apr 2017 20:32:37 +0000
> Leonardo Bruno Lopes via samba <[hidden email]> wrote:
>
>> Hi everyone!
>>
>> I have a LDAP with all my users' accounts, each one with the
>> sambaNTPassaword correctly defined. I also have a freshly installed
>> Samba 4.2 running on a Debian 8.7 box.
>>
>> I followed the instructions described by Steve Thompson here
>> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
>> am able to create a Samba 4 domain account ('samba-tool user add ...
>> --random-password ..') and then redefine the password directly using
>> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
>> scritp.
>>
>> As you may have noticed, I don't want to ask for the users to type
>> their passwords again, and I want to make sure that LDAP password and
>> Samba domain password are always the same. On a second moment - after
>> all accounts were created - I will keep it synchronized using a
>> management software.
>>
>> 'smbclient' works (authenticates) normally. The problem is that I
>> can't login into domain from a Windows 7 VM using the user and
>> password I create using the scripts/commands from the thread I linked
>> above.
>>
>> Besides, I can confirm that the 'unicodePwd' value generated by
>> 'samba-tool user setpassword ...' Is the same that the one generated
>> by the Python script (I used 'ldbsearch -H ... unicodePwd' to get the
>> things checked).
>>
>> Is there any other step I should take in order to get Windows logon
>> working normally with the accounts I create that way?
>>
>> Thanks in advance, regards.
>> Leonardo
>
> I have never tried this, but from my understanding, what you have
> posted should work. I wonder if it is just something as simple as
> the old ldap passwords not being complex enough ?
>
> Try running this on the DC:
>
> samba-tool domain passwordsettings --complexity=off
>
> If this cures the problem, then you have the answer, it is then up to
> you to decide how to proceed, stay with the old passwords or make your
> users change them.
>
> Rowland
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus eacredita-se
> estar livre de perigo.

--
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
On Sat, 08 Apr 2017 16:53:09 +0000
Leonardo Bruno Lopes <[hidden email]> wrote:

>   Thank you so much, Rowland.
>
> I disabled the complexity using the command you sugested (just added
> 'set', I mean, 'samba-tool domain passwordsettings set
> --complexity=off').
>
> 'smbclient' still works, no surprise here. However I can't test the
> Windows login right now. For some weird reason I can't open Windows
> VMs throught VPN. As soon as I have some aditional information I will
> let you and the list know.
>
> About the complexity setting itself, I suppose It turns off the Samba
> password complexity verification while re/setting passwords.

No, it just stops Samba requiring complex passwords at any point.
 
>It would
> not be a problem as the software I (will) use to maintain the
> accounts already has some complexity rules. I fact, the passwords I
> have in my LDAP (in the 'sambaNTPassword' attribute) are complex
> enough to be used by Samba AD.

If they are, then this is not your problem, but testing from a windows
client will prove this, one way or the other.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba
wrote:

> Hi everyone!
>
> I have a LDAP with all my users' accounts, each one with the
> sambaNTPassaword correctly defined. I also have a freshly installed
> Samba
> 4.2 running on a Debian 8.7 box.
>
> I followed the instructions described by Steve ThompsSmabon here
> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
> am able
> to create a Samba 4 domain account ('samba-tool user add ...
> --random-password ..') and then redefine the password directly using
> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
> scritp.
>
> As you may have noticed, I don't want to ask for the users to type
> their
> passwords again, and I want to make sure that LDAP password and Samba
> domain password are always the same. On a second moment - after all
> accounts were creates - I will keep it synchronized using a
> management
> software.
>
> 'smbclient' works (authenticates) normally. The problem is that I
> can't
> login into domain from a Windows 7 VM using the user and password I
> create
> using the scripts/commands from the thread I linked above.
>
> Besides, I can confirm that the 'unicodePwd' value generated by
> 'samba-tool
> user setpassword ...' Is the same that the one generated by the
> Python
> script (I used 'ldbsearch -H ... unicodePwd' to get the things
> checked).
>
> Is there any other step I should take in order to get Windows logon
> working
> normally with the accounts I create that way?

My guess is that the Kerberos keys in supplementalCredentials have not
been removed.  Those are still set to the random password, and windows
7 is using Kerberos.

The code in pdb_samba_dsdb that owns the OID you use always removes
this attribute when setting that OID, so you need to as well.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
Citando Andrew Bartlett <[hidden email]>:

> On Fri, 2017-04-07 at 20:32 +0000, Leonardo Bruno Lopes via samba
> wrote:
>> Hi everyone!
>>
>> I have a LDAP with all my users' accounts, each one with the
>> sambaNTPassaword correctly defined. I also have a freshly installed
>> Samba
>> 4.2 running on a Debian 8.7 box.
>>
>> I followed the instructions described by Steve ThompsSmabon here
>> <https://lists.samba.org/archive/samba/2014-June/182196.html> and I
>> am able
>> to create a Samba 4 domain account ('samba-tool user add ...
>> --random-password ..') and then redefine the password directly using
>> 'ldbmodify' and the sambaNTPassaword value 'hashed' by the Python
>> scritp.
>>
>> As you may have noticed, I don't want to ask for the users to type
>> their
>> passwords again, and I want to make sure that LDAP password and Samba
>> domain password are always the same. On a second moment - after all
>> accounts were creates - I will keep it synchronized using a
>> management
>> software.
>>
>> 'smbclient' works (authenticates) normally. The problem is that I
>> can't
>> login into domain from a Windows 7 VM using the user and password I
>> create
>> using the scripts/commands from the thread I linked above.
>>
>> Besides, I can confirm that the 'unicodePwd' value generated by
>> 'samba-tool
>> user setpassword ...' Is the same that the one generated by the
>> Python
>> script (I used 'ldbsearch -H ... unicodePwd' to get the things
>> checked).
>>
>> Is there any other step I should take in order to get Windows logon
>> working
>> normally with the accounts I create that way?
>
> My guess is that the Kerberos keys in supplementalCredentials have not
> been removed.  Those are still set to the random password, and windows
> 7 is using Kerberos.

Dear Andrew,

I confirmed that 'supplementalCredentials' has different values  
depending on whether I use 'samba-tool' or 'ldbmodify' to set the  
password. That seems to confirm your initial guess.

> The code in pdb_samba_dsdb that owns the OID you use always removes
> this attribute when setting that OID, so you need to as well.

Is there any chance that this could mean I only need to wipe  
'supplementalCredentials' attribute -- I saw that it is possible --  
after set the password with 'ldbmodify'? Unfortunately I can't get  
this tested until tomorrow.

By the way, congratulations guys, you have been doing such an awesome  
job with Samba and all this AD stuff, both coding and supporting.

> Thanks,

Thank you o much, really!
Leonardo

> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.




--
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
On Sun, 09 Apr 2017 14:47:59 +0000
Leonardo Bruno Lopes via samba <[hidden email]> wrote:



> Is there any chance that this could mean I only need to wipe  
> 'supplementalCredentials' attribute -- I saw that it is possible --  
> after set the password with 'ldbmodify'? Unfortunately I can't get  
> this tested until tomorrow.
>

try using something like this in your script:

ldbmodify -H /usr/local/samba/private/sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
dn: CN=User,CN=Users,DC=samdom,DC=example,DC=com
changetype: modify
replace: unicodePwd
unicodePwd:: xxxxxxxxxxxxxxxxxxxxxxxx
-
EOF

Making the obvious changes of course ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
Citando Rowland Penny via samba <[hidden email]>:

> On Sun, 09 Apr 2017 14:47:59 +0000
> Leonardo Bruno Lopes via samba <[hidden email]> wrote:
>
>
>
>> Is there any chance that this could mean I only need to wipe
>> 'supplementalCredentials' attribute -- I saw that it is possible --
>> after set the password with 'ldbmodify'? Unfortunately I can't get
>> this tested until tomorrow.
>>
>
> try using something like this in your script:
>
> ldbmodify -H /usr/local/samba/private/sam.ldb  
> --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
> dn: CN=User,CN=Users,DC=samdom,DC=example,DC=com
> changetype: modify
> replace: unicodePwd
> unicodePwd:: xxxxxxxxxxxxxxxxxxxxxxxx
> -
> EOF
>
> Making the obvious changes of course ;-)

Yes, that is exactly what I did.

But I haven't tested yet if this solves the Windows login problem.

Anyway, thank you so much :D

>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.




--
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba
wrote:

>
> Dear Andrew,
>
> I confirmed that 'supplementalCredentials' has different values  
> depending on whether I use 'samba-tool' or 'ldbmodify' to set the  
> password. That seems to confirm your initial guess.
>
> > The code in pdb_samba_dsdb that owns the OID you use always removes
> > this attribute when setting that OID, so you need to as well.
>
> Is there any chance that this could mean I only need to wipe  
> 'supplementalCredentials' attribute -- I saw that it is possible --  
> after set the password with 'ldbmodify'? Unfortunately I can't get  
> this tested until tomorrow.

Yes, that is my suggestion.

> By the way, congratulations guys, you have been doing such an
> awesome  
> job with Samba and all this AD stuff, both coding and supporting.

Thanks,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sun, 2017-04-09 at 16:12 +0100, Rowland Penny via samba wrote:

> On Sun, 09 Apr 2017 14:47:59 +0000
> Leonardo Bruno Lopes via samba <[hidden email]> wrote:
>
>
>
> > Is there any chance that this could mean I only need to wipe  
> > 'supplementalCredentials' attribute -- I saw that it is possible
> > --  
> > after set the password with 'ldbmodify'? Unfortunately I can't
> > get  
> > this tested until tomorrow.
> >
>
> try using something like this in your script:

More like:

ldbmodify -H /usr/local/samba/private/sam.ldb --
controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
dn: CN=User,CN=Users,DC=samdom,DC=example,DC=com
changetype: modify
replace: unicodePwd
unicodePwd:: xxxxxxxxxxxxxxxxxxxxxxxx
delete: supplementalCredentials
-
EOF

Should do it.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
Citando Andrew Bartlett via samba <[hidden email]>:

> On Sun, 2017-04-09 at 16:12 +0100, Rowland Penny via samba wrote:
>> On Sun, 09 Apr 2017 14:47:59 +0000
>> Leonardo Bruno Lopes via samba <[hidden email]> wrote:
>>
>>
>>
>> > Is there any chance that this could mean I only need to wipe  
>> > 'supplementalCredentials' attribute -- I saw that it is possible
>> > --  
>> > after set the password with 'ldbmodify'? Unfortunately I can't
>> > get  
>> > this tested until tomorrow.
>> >
>>
>> try using something like this in your script:
>
> More like:
>
> ldbmodify -H /usr/local/samba/private/sam.ldb --
> controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
> dn: CN=User,CN=Users,DC=samdom,DC=example,DC=com
> changetype: modify
> replace: unicodePwd
> unicodePwd:: xxxxxxxxxxxxxxxxxxxxxxxx
> delete: supplementalCredentials
> -
> EOF
>
> Should do it,

Thanks again, Andrew.

This -- from LDIF/LDAP docs -- will also delete the  
'supplementalCredentials' attribute:

ldbmodify -H /var/lib/samba/private/sam.ldb  
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
dn: CN=User,CN=Users,DC=samdom,DC=example,DC=com
changetype: modify
replace: supplementalCredentials
-
EOF

Just for record,

Leonardo

> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.




--
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Solved] Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
In reply to this post by Samba - General mailing list
Citando Andrew Bartlett <[hidden email]>:

> On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba
> wrote:
>>
>> Dear Andrew,
>>
>> I confirmed that 'supplementalCredentials' has different values  
>> depending on whether I use 'samba-tool' or 'ldbmodify' to set the  
>> password. That seems to confirm your initial guess.
>>
>> > The code in pdb_samba_dsdb that owns the OID you use always removes
>> > this attribute when setting that OID, so you need to as well.
>>
>> Is there any chance that this could mean I only need to wipe  
>> 'supplementalCredentials' attribute -- I saw that it is possible --  
>> after set the password with 'ldbmodify'? Unfortunately I can't get  
>> this tested until tomorrow.
>
> Yes, that is my suggestion.

Dear Andrew,

I tested the solution you suggested and I can confirm that it works.

Here are the use case and the workaround I used, as this can be useful  
to to someone else:

1. I have my users' passwords hashed as 'sambaNTPassword' in a LDAP server.
2. I want to create the users' account in my new Samba 4 AD using the  
'sambaNTPassword' I already have.
3. So I:
   3.1 Create the account with 'samba-tool user add ... --random-password ..'
   3.2 Encode the 'sambaNTPassword' value and put it on the  
'unicodePwd' Samba/LDB attribute using this: (from  
https://lists.samba.org/archive/samba/2014-June/182196.html)

  #!/usr/bin/env python
  import base64
  import binascii
  import sys
  ldap_samba_nt_password = sys.argv[1]
  b64_hash = base64.b64encode(binascii.a2b_hex(ldap_samba_nt_password))
  print b64_hash

  # ldbmodify -H /usr/local/samba/private/sam.ldb  
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
  dn: CN=user,CN=Users,DC=samdom,DC=example,DC=com
  changetype: modify
  replace: unicodePwd
  unicodePwd:: <value from python script>
  -
  EOF

   3.3 Finally, I remove the 'supplementalCredentials' Samba/LDB  
attribute using this:
  # ldbmodify -H /usr/local/samba/private/sam.ldb  
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
  dn: CN=user,CN=Users,DC=samdom,DC=example,DC=com
  changetype: modify
         delete: supplementalCredentials
  -
  EOF

4. Both the Windows 7 and 10 authenticate perfectly.

Just one more question: what possible security issues may come from  
removing the 'supplementalCredentials' attribute?

And, one more time, lots of thanks!

Leonardo

>
>> By the way, congratulations guys, you have been doing such an
>> awesome  
>> job with Samba and all this AD stuff, both coding and supporting.
>
> Thanks,
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.




--
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
In reply to this post by Samba - General mailing list
Dean Andrew and List,

I posted here  
 >>https://lists.samba.org/archive/samba/2017-April/207671.html<< that  
my problem was solved, but I have the following question:

What is the possible security issues that may come from removing the  
'supplementalCredentials' attribute?

Thanks,
Leonardo


Citando Andrew Bartlett <[hidden email]>:

> On Sun, 2017-04-09 at 14:47 +0000, Leonardo Bruno Lopes via samba
> wrote:
>>
>> Dear Andrew,
>>
>> I confirmed that 'supplementalCredentials' has different values  
>> depending on whether I use 'samba-tool' or 'ldbmodify' to set the  
>> password. That seems to confirm your initial guess.
>>
>> > The code in pdb_samba_dsdb that owns the OID you use always removes
>> > this attribute when setting that OID, so you need to as well.
>>
>> Is there any chance that this could mean I only need to wipe  
>> 'supplementalCredentials' attribute -- I saw that it is possible --  
>> after set the password with 'ldbmodify'? Unfortunately I can't get  
>> this tested until tomorrow.
>
> Yes, that is my suggestion.
>
>> By the way, congratulations guys, you have been doing such an
>> awesome  
>> job with Samba and all this AD stuff, both coding and supporting.
>
> Thanks,
>
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.




--
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
On Wed, 2017-04-12 at 20:31 +0000, Leonardo Bruno Lopes wrote:

> Dean Andrew and List,
>
> I posted here  
>  >>https://lists.samba.org/archive/samba/2017-April/207671.html<<;
> that  
> my problem was solved, but I have the following question:
>
> What is the possible security issues that may come from removing
> the  
> 'supplementalCredentials' attribute?
>
> Thanks,
> Leonardo

The KDC will no longer be able to issue AES encrypted tickets, just as
if you had just upgraded from a NT4-like/classic Samba domain.

Otherwise nothing too drastic at this time, but we might start storing
more information there in the future, which is why this is an internal
control not really intended for external use.

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM

Samba - General mailing list
Citando Andrew Bartlett via samba <[hidden email]>:

> On Wed, 2017-04-12 at 20:31 +0000, Leonardo Bruno Lopes wrote:
>> Dean Andrew and List,
>>
>> I posted here  
>>  >>https://lists.samba.org/archive/samba/2017-April/207671.html<<;
>> that  
>> my problem was solved, but I have the following question:
>>
>> What is the possible security issues that may come from removing
>> the  
>> 'supplementalCredentials' attribute?
>>
>> Thanks,
>> Leonardo
>
> The KDC will no longer be able to issue AES encrypted tickets, just as
> if you had just upgraded from a NT4-like/classic Samba domain.
>
> Otherwise nothing too drastic at this time, but we might start storing
> more information there in the future, which is why this is an internal
> control not really intended for external use.

Hi Andrew.

My password policy forces users to change their passwords every 12 months.

So we hope soon the get this to the 'most correct use'.

Thank you so much.

Regards,
Leonardor

>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.




--
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...