Joining W2k AD domain
Andrew Bartlett
abartlet at samba.org
Wed Nov 9 02:45:40 MST 2011
On Wed, 2011-11-09 at 10:15 +0100, Matthias Dieter Wallnöfer wrote:
> Hi Dave & Andrew,
>
> I have found a fix for your first issue. The error information level has
> not been checked at all so the wrong information fields have been
> accessed if we were on level 2:
> http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=commitdiff;h=53dfb4592997e9c1fb874e77de227c34a645ac55
Yes, that looks like the right fix.
> The second issue seems strange since also Windows 2000 should support
> password sets over the "unicodePwd" attribute. The syntax should be okay
> (the "sambd.setpassword" call) since we have performed various tests
> against Windows Server (2003, 2008, 2008R2). Here a link to the MS-ADTS
> guide describing this circumstance:
> http://msdn.microsoft.com/en-us/library/cc223248(v=PROT.10).aspx.
>
> Might the following constraint be the source of the problem?
> > Microsoft Windows® 2000 operating system servers require that the
> > client have a 128-bit (or better) SSL/TLS-encrypted connection to the
> > DC
> > <http://msdn.microsoft.com/en-us/library/b645c125-a7da-4097-84a1-2fa7cea07714%28v=PROT.10%29#domain_controller>
> > in order to modify this attribute. (unicodePwd)
> If yes, couldn't we try to perform the password set directly on the
> entry-add operation?
Yes, but SSL connections are a pain to set up, and I think you are
reading the rule too literally - I'm pretty sure you cannot do it on add
either.
Therefore, it is easiest to set the password with either kpasswd or
SAMR, and we have bindings for SAMR.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list