[Samba] heimdal and windows compatibility up-to-date informations

Guillaume Rousse Guillaume.Rousse at inria.fr
Wed Oct 8 10:54:48 GMT 2008 

I'm back on this old question, because I'm now really working on it.

Andrew Bartlett a écrit :
>> Second, I was looking at better way to sync users accounts between our 
>> new ldap-backed heimdal kdc and our windows AD. Currently, we have an 
>> automated task synchronising user entries into Windows LDAP from our 
>> Unix LDAP hourly, and a password-management CGI propagating password 
>> changes to both systems (using an ugly VB CGI on windows side to 
>> effectively change the password). I was wondering if the password 
>> handling stuff could be merged with the ldap synchronisation task, now 
>> we store kerberos keys in LDAP.
> 
> Windows does not allow the password attributes to be manipulated like
> that.  You could potentially read and set passwords with Samba4's
> DRSUAPI synchronisation, but you can't do it with just Heimdal or just
> LDAP.
I succeded setting or changing the unicodePwd attribute in AD, through 
pure LDAP operation. It allows me to pass autentication when trying to 
open a remote desktop sessions (which immediatly fails for authorization 
issue). But I guess it isn't enough to handle the kerberos part of AD 
authentication system.

 From http://wiki.samba.org/index.php/Samba4/ActiveDirectory#DRSUAPI, it 
seems than this API is far from being usable now.

>> As I doubt from your answer it's not, I'm still interested about best 
>> way to handle AD user accounts remotely, without local windows code 
>> relay. Is there any issue directly modifying AD base through LDAP 
>> connection ? My windows colleage currently prefers to dump LDIF entries, 
>> and import them through a windows-specific tool. And how to set windows 
>> password from perl code ? I'm currently biased toward using an external 
>> smbpassword call, but maybe are they better ways.
> 
> You could certainly run Samba tools to set the user's password, if you
> wanted.
Well, smbpassword (from samba 3) allows one user to change its password, 
provided he knows its current one. But from the man page, it seems 
impossible to use it with a privilegiated account (member of account 
operation group) to change someone's else password against an AD controller.

So, am I missing something if I use ldap operation to at least set up an 
initial password for the user, then have him use smbpassword to make it 
fully operational ?
-- 
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62

More information about the samba mailing list