PATCH: Improved Keytab Functionality - UPDATED

[Luigi Visintin]

Hello,
I'm just asking you permission to send a question about a very strange
behaviour I'm finding on a RHEL where I'm trying to authenticate from Cyrus
IMAP a user which is defined in W2k3 AD.
I'll attach a short text explaining my problem...
If ever anyone can help me, I'm almost ready to give up, to the dismal of my
customer, and my own....
Thanks in advance

Luigi VISINTIN
visintin at twinhawks.net
Twin Hawks Sas
C. Ferrucci, 48
10138 Torino
www.twinhawks.net

 
-------------- next part --------------
Hello,
I'm having lot of trouble within this scenario:
 
1) ActiveDir on W2k3, several other W2k3 with/without cluster + SqlServer
+ Oracle, then a couple of Linux (RedHat Entrepreise) clustered with
mail/web services.
2) added MS Services for Unix (SFU35) on AD, to enable authentication
(and mailbox creation) on the (Linux) mail server without hand
creation of mail users. On Linux we have Cyrus 2.2.12 for imap handling.
3) created a few users in AD by AD GUI, everything works OK also in
mail server
4) to add 700+ real users I wrote a script that takes all info from an
XLS file, then calls 'DSADD' and creates (successfully) all users
INSIDE several OU.
5) then tryed to access those users from mailserver, NOWAY, always get
'authenrication failure'.
 
After two+ days of trial and (a lot) of errors, and a lot of searches
from Google on: joeware, rallen, Guillaume Bordier, and (of course) MS
sites (and many others I don't cite...) I'm almost ready to give up.
 
I was also using LDIFDE to create users, but I keep getting a few
errors, like "Unwilling to perform", etc., and I was not able to find
a place whit exact definition of what is the MANDATORY attributes to
create a user with LDIFDE.
 
After a while I succeded in creating users from a script with all info
I think is neede, but still I have the problem of user not
authenticating, and don't know where to look...
 
Then I switched to a new script, which uses LDAP objects to create
users, as follows:
 
A. create the new user, in three step, part 1 adds the user, then part
2 adds other attributes, then part 3 reset userAccountControl, this
last because I tougth there was the culprit... ADS_UF_PASSWD_NOTREQD
'---- part 1
Set oDesOU =
GetObject("LDAP://OU=dirgen,OU=Risorse_Umane,DC=istge,DC=priv")
Set objUser = oDesOU.Create("user", "CN=GianFranco.Ciappina")
objUser.Put "cn","GianFranco.Ciappina"
objUser.Put "sAMAccountName","GianFranco.Ciappina"
objUser.SetInfo
'---- part 2
objUser.Put "userPrincipalName","gianfranco.ciappina at istge.it"
objUser.Put "msSFU30HomeDirectory","/home/gianfranco.ciappina"
objUser.Put "msSFU30LoginShell",usr.get("msSFU30LoginShell")
objUser.Put "msSFU30Name","GianFranco.Ciappina"
objUser.Put "msSFU30GidNumber",usr.get("msSFU30GidNumber")
objUser.Put "msSFU30UidNumber",usr.get("msSFU30UidNumber")
objUser.Put "msSFU30NisDomain",usr.get("msSFU30NisDomain")
objUser.Put "msSFU30Password","G*f*p*3*0*7*!"
objUser.SetInfo
'---- part 3
userActCtrl = objUser.Get("userAccountControl") '
ADS_UF_ACCOUNTDISABLE + ADS_UF_PASSWD_NOTREQD +
ADS_UF_DONT_EXPIRE_PASSWD userActCtrl = userActCtrl And Not (
ADS_UF_PASSWD_NOTREQD) objUser.Put "userAccountControl", userActCtrl
objUser.SetInfo
'----
 
B. then DSMOD that user to add more attributes (this comes from a
previous version of the script, I hope to change also that part to use
directly the above objuser..., so the password is set once for Unix
(SFU3.5) in part 2 above, then in this DSMOD for the actual Windows environment.
 
C. last step another DSMOD only to set " -canchpwd yes -mustchpwd yes"
At this point from the Linux (RHEL) I'm trying, using telnet on the
cyrus imap tool to authenticate, but here I get my error:
"badlogin [ip...] plaintext gianfranco.ciappina SASL(-13): authentication
failure: checkpass failed"
 
I've also checked (and subscribed to) activedir.org, but also there no
solution by now...
 
I'm going crazy.... Can anyone help me?