Joining W2k AD domain

Matthias Dieter Wallnöfer mdw at
Wed Nov 9 02:15:48 MST 2011

Hi Dave & Andrew,

I have found a fix for your first issue. The error information level has 
not been checked at all so the wrong information fields have been 
accessed if we were on level 2:;a=commitdiff;h=53dfb4592997e9c1fb874e77de227c34a645ac55

The second issue seems strange since also Windows 2000 should support 
password sets over the "unicodePwd" attribute. The syntax should be okay 
(the "sambd.setpassword" call) since we have performed various tests 
against Windows Server (2003, 2008, 2008R2). Here a link to the MS-ADTS 
guide describing this circumstance:

Might the following constraint be the source of the problem?
> Microsoft Windows® 2000 operating system servers require that the 
> client have a 128-bit (or better) SSL/TLS-encrypted connection to the 
> DC 
> <> 
> in order to modify this attribute. (unicodePwd)
If yes, couldn't we try to perform the password set directly on the 
entry-add operation?


Andrew Bartlett wrote:
> On Tue, 2011-11-08 at 13:10 -0500, Dave Hawkes wrote:
>> Hi,
>> Does anyone know if there is any progress on fixing the issues mentioned
>> in this post relating to joining an existing w2k ad domain?
>> I did a quick scan in the repository and could not find anything that
>> specifically addressed this.
> I'm sorry, I never got a chance to fix that, and it got caught up in the
> run-up to our annual event with Microsoft, where we were working on
> multi-domain support.
> The tasks to fix this (in case someone else wishes to take this on) are:
>   - sort out the fetching of the error code (probably per the patch)
>   - use SAMR to set the password on the account if we cannot set it over
> LDAP (ie, catch the exception and retry with samr using the python
> bindings).
> Andrew Bartlett

More information about the samba-technical mailing list