Joining W2k AD domain
Matthias Dieter Wallnöfer
mdw at samba.org
Wed Nov 9 02:15:48 MST 2011
Hi Dave & Andrew,
I have found a fix for your first issue. The error information level has
not been checked at all so the wrong information fields have been
accessed if we were on level 2:
http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=commitdiff;h=53dfb4592997e9c1fb874e77de227c34a645ac55
The second issue seems strange since also Windows 2000 should support
password sets over the "unicodePwd" attribute. The syntax should be okay
(the "sambd.setpassword" call) since we have performed various tests
against Windows Server (2003, 2008, 2008R2). Here a link to the MS-ADTS
guide describing this circumstance:
http://msdn.microsoft.com/en-us/library/cc223248(v=PROT.10).aspx.
Might the following constraint be the source of the problem?
> Microsoft Windows® 2000 operating system servers require that the
> client have a 128-bit (or better) SSL/TLS-encrypted connection to the
> DC
> <http://msdn.microsoft.com/en-us/library/b645c125-a7da-4097-84a1-2fa7cea07714%28v=PROT.10%29#domain_controller>
> in order to modify this attribute. (unicodePwd)
If yes, couldn't we try to perform the password set directly on the
entry-add operation?
Matthias
Andrew Bartlett wrote:
> On Tue, 2011-11-08 at 13:10 -0500, Dave Hawkes wrote:
>
>> Hi,
>>
>> Does anyone know if there is any progress on fixing the issues mentioned
>> in this post relating to joining an existing w2k ad domain?
>>
>> https://lists.samba.org/archive/samba-technical/2011-September/079244.html
>>
>> I did a quick scan in the repository and could not find anything that
>> specifically addressed this.
>>
> I'm sorry, I never got a chance to fix that, and it got caught up in the
> run-up to our annual event with Microsoft, where we were working on
> multi-domain support.
>
> The tasks to fix this (in case someone else wishes to take this on) are:
> - sort out the fetching of the error code (probably per the patch)
> - use SAMR to set the password on the account if we cannot set it over
> LDAP (ie, catch the exception and retry with samr using the python
> bindings).
>
> Andrew Bartlett
>
>
More information about the samba-technical
mailing list