Using machine account credentials for issuing standalone ldap queries against a Windows 2000 Active Directory server

Raj Pagaku rpagaku at ironport.com
Tue Sep 11 06:38:59 GMT 2007


Hello All,
 
This might come across as a rather strange and interesting question related to using machine account credentials to issue standalone ldap queries against an Active Directory server.
 
We are using Samba and use 'ads' mode to join the machine onto the Active Directory (net ads join).  Once the machine is joined to the domain, we do not have access to the username and password that was used to join the machine on the Active Directory server.  Also we do not have access to any other username and password on the AD server.  Hence we use the machine account credentials (password that is available in the 'secrets.tdb') to perform ldap queries against the AD server (we have appropriate scripts to fetch the credential from the file).  We can invoke standard 'ldapsearch' using the machine account credentials and perform ldap queries on the AD server.
 
This works completely fine without any issues when we have joined a Windows 2003 Active Directory server.  
 
However when we have joined a Windows 2000 Active Directory server this technique does not work.  The password always seems to be invalid when used with ldapsearch.  The machine has joined the domain and queries can be performed with a normal username and password but not with the machine account username and password.
 
Also this does not seem to be any Samba version specific - we observe this on both 3.0.23c as well as 3.0.25a.
 
Does anyone know why the machine account credentials doesn't work when used in stand alone ldap queries against a Windows 2000 AD server?
 
Thanks in advance for any input that might help in addressing this issue.
 
Regards
Raj Pagaku


More information about the samba-technical mailing list