Discussion:
[lsc-users] Pushing a password to Samba 4
Sebastien BEAUDLOT
2018-09-26 15:11:26 UTC
Permalink
Hi,

I am trying to push passwords for my LDAP users to a Samba 4 AD (like instructions in this howto : https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory), but i'm stuck with a LDAP Error 53 :

Error while modifying entry CN=beaudlot,cn=Users,dc=adbaka,dc=univ-avignon,dc=fr in directory :javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set the NT hash password directly'];

Dataset look like :

<dataset>
<name>unicodePwd</name>
<policy>FORCE</policy>
<createValues>
<string>AD.getUnicodePwd("JustTesting4Password!")</string>
</createValues>
</dataset>

(I am just trying to push a fixed string for now, but future plans will include pre-encrypted passwords with passwordhk.pl)

Samba 4 AD connection is secured. I tried TLS and SSL/ldaps, both working for all other attributes. I also tried to bind with both the builtin administrator account and a manually made lsc service account.

Password update seems way more tricky than other attributes, and i may be missing something important here ...


Regards.
--
Sébastien BEAUDLOT

Administrateur systÚme, réseaux et téléphonie

Direction Opérationnelle des SystÚmes d'Information ( DOSI )
PÃŽle Infrastructures
Université d'Avignon et des Pays de Vaucluse

TÚl : 04.90.16.26.04
--
Clément OUDOT
2018-09-26 15:38:46 UTC
Permalink
Post by Sebastien BEAUDLOT
Hi,
I am trying to push passwords for my LDAP users to a Samba 4 AD (like
https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory),
Error while modifying entry
CN=beaudlot,cn=Users,dc=adbaka,dc=univ-avignon,dc=fr in directory
:javax.naming.OperationNotSupportedException: [LDAP: error code 53 -
00002035: setup_io: it's not allowed to set the NT hash password
directly'];
        <dataset>
         <name>unicodePwd</name>
         <policy>FORCE</policy>
         <createValues>
          <string>AD.getUnicodePwd("JustTesting4Password!")</string>
         </createValues>
        </dataset>
(I am just trying to push a fixed string for now, but future plans
will include pre-encrypted passwords with passwordhk.pl)
Samba 4 AD connection is secured. I tried TLS and SSL/ldaps, both
working for all other attributes. I also tried to bind with both the
builtin administrator account and a manually made lsc service account.
Password update seems way more tricky than other attributes, and i may
be missing something important here ...
Seems you are not the only one to have this issue:
http://samba.2283325.n4.nabble.com/Setting-unicodePwd-hashes-directly-td2469395.html

What I don't understand is why Samba4 thinks your password is a NT hash,
it should detect that this is a plain text value. Try to set a default
value like "password123" to see if this changes something.
--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
Sebastien BEAUDLOT
2018-09-27 10:15:41 UTC
Permalink
Hi,

I don't think Samba 4 detects a hash, but it may just disallow setting unicodePwd directly trough ldap connection.

The attribute (unicodePwd) is not even visible when browsing the ldap with the administrator account.

I don't think LSC will allow me to fully sync LDAP and Samba 4.

Thanks for your help.
--
Sébastien BEAUDLOT

Administrateur systÚme, réseaux et téléphonie

Direction Opérationnelle des SystÚmes d'Information ( DOSI )
PÃŽle Infrastructures
Université d'Avignon et des Pays de Vaucluse

TÚl : 04.90.16.26.04
--
De: "Clément OUDOT" <***@worteks.com>
À: "lsc-users" <lsc-***@lists.lsc-project.org>
Envoyé: Mercredi 26 Septembre 2018 17:38:46
Objet: Re: [lsc-users] Pushing a password to Samba 4





Le 26/09/2018 à 17:11, Sebastien BEAUDLOT a écrit :



Hi,

I am trying to push passwords for my LDAP users to a Samba 4 AD (like instructions in this howto : [ https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory | https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory ] ), but i'm stuck with a LDAP Error 53 :

Error while modifying entry CN=beaudlot,cn=Users,dc=adbaka,dc=univ-avignon,dc=fr in directory :javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set the NT hash password directly'];

Dataset look like :

<dataset>
<name>unicodePwd</name>
<policy>FORCE</policy>
<createValues>
<string>AD.getUnicodePwd("JustTesting4Password!")</string>
</createValues>
</dataset>

(I am just trying to push a fixed string for now, but future plans will include pre-encrypted passwords with passwordhk.pl)

Samba 4 AD connection is secured. I tried TLS and SSL/ldaps, both working for all other attributes. I also tried to bind with both the builtin administrator account and a manually made lsc service account.

Password update seems way more tricky than other attributes, and i may be missing something important here ...



Seems you are not the only one to have this issue: [ http://samba.2283325.n4.nabble.com/Setting-unicodePwd-hashes-directly-td2469395.html | http://samba.2283325.n4.nabble.com/Setting-unicodePwd-hashes-directly-td2469395.html ]

What I don't understand is why Samba4 thinks your password is a NT hash, it should detect that this is a plain text value. Try to set a default value like "password123" to see if this changes something.
--
Clément Oudot | Identity Solutions Manager [ mailto:***@worteks.com | ***@worteks.com ] Worteks | [ https://www.worteks.com/ | https://www.worteks.com ]

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Clément OUDOT
2018-09-27 12:16:11 UTC
Permalink
Post by Sebastien BEAUDLOT
Hi,
I don't think Samba 4 detects a hash, but it may just disallow setting
unicodePwd directly trough ldap connection.
The attribute (unicodePwd) is not even visible when browsing the ldap
with the administrator account.
This attribute is "write-only", you cannot read it but you can update it.
Post by Sebastien BEAUDLOT
I don't think LSC will allow me to fully sync LDAP and Samba 4.
Some people on this list were able to do it, so I think there is no
problem to use LSC for this.
--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
Sebastien BEAUDLOT
2018-09-27 12:27:58 UTC
Permalink
Post by Clément OUDOT
This attribute is "write-only", you cannot read it but you can update it.
This should explains why it does not show when browsing the AD trough LDAP connection.
Post by Clément OUDOT
Some people on this list were able to do it, so I think there is no problem to use LSC for this.
Ok. I'm still stuck with the error when trying to update, so there might be a trick.
--
Sébastien BEAUDLOT
Université d'Avignon et des Pays de Vaucluse
--
De: "Clément OUDOT" <***@worteks.com>
À: "lsc-users" <lsc-***@lists.lsc-project.org>
Envoyé: Jeudi 27 Septembre 2018 14:16:11
Objet: Re: [lsc-users] Pushing a password to Samba 4





Le 27/09/2018 à 12:15, Sebastien BEAUDLOT a écrit :



Hi,

I don't think Samba 4 detects a hash, but it may just disallow setting unicodePwd directly trough ldap connection.

The attribute (unicodePwd) is not even visible when browsing the ldap with the administrator account.



This attribute is "write-only", you cannot read it but you can update it.


BQ_BEGIN


I don't think LSC will allow me to fully sync LDAP and Samba 4.

BQ_END

Some people on this list were able to do it, so I think there is no problem to use LSC for this.
--
Clément Oudot | Identity Solutions Manager [ mailto:***@worteks.com | ***@worteks.com ] Worteks | [ https://www.worteks.com/ | https://www.worteks.com ]

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Clément OUDOT
2018-09-27 12:46:08 UTC
Permalink
Post by Clément OUDOT
Post by Clément OUDOT
This attribute is "write-only", you cannot read it but you can
update it.
This should explains why it does not show when browsing the AD trough LDAP connection.
Post by Clément OUDOT
Some people on this list were able to do it, so I think there is no
problem to use LSC for this.
Ok. I'm still stuck with the error when trying to update, so there might be a trick.
Reading some forums, I don't see why it fails. LSC AD.getUnicodePwd
should do the right encoding, like it is required:
https://groups.google.com/forum/#!topic/linux.samba/oYfQH4kMpn8

Check that the BindDN on Samba has enough rights to update password, and
try with a value without "!".
--
Clément Oudot | Identity Solutions Manager

***@worteks.com

Worteks | https://www.worteks.com
Sebastien BEAUDLOT
2018-09-27 14:44:40 UTC
Permalink
Hi,

My bad. I was making a mistake between createValues and forceValues, so LSC was trying to put the unicodePwd from LDAP in Samba.

It's working now.
--
Sébastien BEAUDLOT
Université d'Avignon et des Pays de Vaucluse
--
De: "Clément OUDOT" <***@worteks.com>
À: "lsc-users" <lsc-***@lists.lsc-project.org>
Envoyé: Jeudi 27 Septembre 2018 14:46:08
Objet: Re: [lsc-users] Pushing a password to Samba 4
Post by Clément OUDOT
This attribute is "write-only", you cannot read it but you can update it.
This should explains why it does not show when browsing the AD trough LDAP connection.
Post by Clément OUDOT
Some people on this list were able to do it, so I think there is no problem to use LSC for this.
Ok. I'm still stuck with the error when trying to update, so there might be a trick.



Reading some forums, I don't see why it fails. LSC AD.getUnicodePwd should do the right encoding, like it is required: [ https://groups.google.com/forum/#!topic/linux.samba/oYfQH4kMpn8 | https://groups.google.com/forum/#!topic/linux.samba/oYfQH4kMpn8 ]

Check that the BindDN on Samba has enough rights to update password, and try with a value without "!".
--
Clément Oudot | Identity Solutions Manager [ mailto:***@worteks.com | ***@worteks.com ] Worteks | [ https://www.worteks.com/ | https://www.worteks.com ]

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-***@lists.lsc-project.org
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
BOURLES, Sebastien
2018-09-28 06:53:59 UTC
Permalink
Hi everyone,

I’m synchronizing an AD with an openldap in bdb. For 200 000 entries, it’s taking around 9 hours.
From your experience, do you find the duration ok ?
If not, does LSC provide tuning options ?
Or it’s the bdb database which is wrong.

Best regards,
_______________________________________________________________________
[Email_CBE.gif]Sébastien Bourles
Intégrateur de solution | CSD

Capgemini FRANCE | Cesson-Sévigné
Tel.: +33 2 99 27 82 23
www.capgemini.com<http://www.capgemini.com/>

7 Rue Claude Chappe, Rennes Atalante Champs Blancs
_______________________________________________________________________
Connect with Capgemini:
[cid:***@01D34741.B7F9E3D0]<Loading Image...@01D34741.B7F9E3D0]<http://www.youtube.com/capgeminimedia>

Please consider the environment and do not print this email unless absolutely necessary.
Capgemini encourages environmental awareness.

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Clément OUDOT
2018-09-28 07:05:29 UTC
Permalink
Post by BOURLES, Sebastien
Hi everyone,
 
I’m synchronizing an AD with an openldap in bdb. For 200 000 entries,
it’s taking around 9 hours.
From your experience, do you find the duration ok ?
If not, does LSC provide tuning options ?
Or it’s the bdb database which is wrong.
Hello,

this should not last so long, I think you should be able to sync
directory in one or two hours (for a first import), an less than that
for an update.

Clearly BDB backend in OpenLDAP has poor performances, you should switch
to LMDB as soon as possible. But in the other hand, AD has also poor
performances, and you cannot do anything to this.

You can try to change LSC threads (option -t), which is 5 by default to
see if it has an impact. You can also monitor memory on the server to be
sure LSC is not using swap.
--
Clément Oudot | Identity Solutions Manager

***@worteks.com


Worteks | https://www.worteks.com
RODRIGO ZANDAVALLI AVILA
2018-09-28 14:46:58 UTC
Permalink
I think is great that you could achieve that using only LSC
personaly I used ldbmodify and used the info in:

https://lists.samba.org/archive/samba/2014-June/182226.html

Rodrigo Zandavalli Avila



Em qua, 26 de set de 2018 às 12:12, Sebastien BEAUDLOT <
Post by Sebastien BEAUDLOT
Hi,
I am trying to push passwords for my LDAP users to a Samba 4 AD (like
https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory),
Error while modifying entry
CN=beaudlot,cn=Users,dc=adbaka,dc=univ-avignon,dc=fr in directory
:javax.naming.OperationNotSupportedException: [LDAP: error code 53 -
00002035: setup_io: it's not allowed to set the NT hash password directly'];
<dataset>
<name>unicodePwd</name>
<policy>FORCE</policy>
<createValues>
<string>AD.getUnicodePwd("JustTesting4Password!")</string>
</createValues>
</dataset>
(I am just trying to push a fixed string for now, but future plans will
include pre-encrypted passwords with passwordhk.pl)
Samba 4 AD connection is secured. I tried TLS and SSL/ldaps, both working
for all other attributes. I also tried to bind with both the builtin
administrator account and a manually made lsc service account.
Password update seems way more tricky than other attributes, and i may be
missing something important here ...
Regards.
--
Sébastien BEAUDLOT
Administrateur systÚme, réseaux et téléphonie
Direction Opérationnelle des SystÚmes d'Information ( DOSI )
PÃŽle Infrastructures
Université d'Avignon et des Pays de Vaucluse
TÚl : 04.90.16.26.04
--
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Continue reading on narkive:
Search results for '[lsc-users] Pushing a password to Samba 4' (Questions and Answers)
4
replies
Can You Build an Igloo in Animal Crossing?
started 2006-02-04 07:22:30 UTC
video & online games
Loading...