Joining W2k AD domain

Andrew Bartlett abartlet at
Wed Nov 9 02:45:40 MST 2011

On Wed, 2011-11-09 at 10:15 +0100, Matthias Dieter Wallnöfer wrote:
> Hi Dave & Andrew,
> I have found a fix for your first issue. The error information level has 
> not been checked at all so the wrong information fields have been 
> accessed if we were on level 2: 

Yes, that looks like the right fix.

> The second issue seems strange since also Windows 2000 should support 
> password sets over the "unicodePwd" attribute. The syntax should be okay 
> (the "sambd.setpassword" call) since we have performed various tests 
> against Windows Server (2003, 2008, 2008R2). Here a link to the MS-ADTS 
> guide describing this circumstance: 
> Might the following constraint be the source of the problem?
> > Microsoft Windows® 2000 operating system servers require that the 
> > client have a 128-bit (or better) SSL/TLS-encrypted connection to the 
> > DC 
> > <> 
> > in order to modify this attribute. (unicodePwd)
> If yes, couldn't we try to perform the password set directly on the 
> entry-add operation?

Yes, but SSL connections are a pain to set up, and I think you are
reading the rule too literally - I'm pretty sure you cannot do it on add

Therefore, it is easiest to set the password with either kpasswd or
SAMR, and we have bindings for SAMR.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list