Samba4: Changing a user's passwd via LDAP

Stefan (metze) Metzmacher metze at samba.org
Fri Aug 20 07:01:03 MDT 2010


Am 20.08.2010 13:57, schrieb Michael Wood:
> Hi
> 
> I need to provide a web-based interface for users to change their
> passwords in Samba4.  Is LDAP the best option?
> 
> Should the following work?
> 
> http://support.microsoft.com/kb/269190
> 
> I tried using ldapmodify with the following ldif:
> 
> dn: CN=user,CN=Users,DC=my,DC=realm
> changetype: modify
> add: unicodePwd
> unicodePwd: "NewPassword"
> -
> delete: unicodePwd
> unicodePwd: "OldPassword"
> -

But this needs to be UTF16 not utf8.

Maybe this python code helps you.

Also note that you need to use an encrypted connection
(at least against windows, but hopefully also against
 samba in future). SASL or TLS encryption is needed.

#!/usr/bin/env python
#

#import binascii
#import sys
#
#hex = sys.argv[1]
#
#u16 = binascii.a2b_hex(hex)
#u = unicode(u16, "utf-16-le")
#u8 = u.encode("utf8")
#
#print "hex-utf16-le: '%s'" % hex
#print "utf8-pw: '%s'" % u8
#
#sys.exit(0)

import base64

clearTextPassword = 'A1b2C3d4'

u8 = '"' + clearTextPassword + '"'

u = unicode(u8, "utf-8")

u16 = u.encode("utf-16-le")
#u16 = u.encode("ascii")

b64 = base64.b64encode(u16)

print "u8[%r] u[%r] u16[%r] b64[%s]\n" % (u8, u, u16, b64)

> Whether I use simple authentication with "ldapmodify -x -D
> CN=user,CN=Users,DC=my,DC=realm -W ..." or first run "kinit user" and
> then use "ldapmodify -Y gssapi ..." I get the following error:
> 
> modifying entry "CN=user,CN=Users,DC=my,DC=realm"
> ldap_modify: Insufficient access (50)
> 	additional info: 00002098: insufficient access rights - error in
> module acl: insufficient access rights (50)
> 
> but perhaps that's not equivalent to the code in the KB article?
> 
> I would appreciate any suggestions for how to do this, preferably from
> Python, or if LDAP is not the best way, then I would appreciate it if
> you could let me know what the best way is.
> 
> I also tried "net password change", but was having trouble getting that to work.
> 
> I'm currently running "Version 4.0.0alpha12-GIT-6d97360" but I might
> upgrade/reprovision soon.
> 
> Thanks in advance.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100820/70515b26/attachment.pgp>


More information about the samba-technical mailing list