Joining W2k AD domain

Dave Hawkes daveh at
Wed Nov 9 08:38:33 MST 2011

Hi Matthias,

Thanks for looking at this, I have some aging w2k authentication servers 
I'm looking at replacing so I'll give it a try again if the password 
issue looks resolved at some point.


On 09/11/2011 4:15 AM, Matthias Dieter Wallnöfer wrote:
> Hi Dave & Andrew,
> I have found a fix for your first issue. The error information level 
> has not been checked at all so the wrong information fields have been 
> accessed if we were on level 2: 
> The second issue seems strange since also Windows 2000 should support 
> password sets over the "unicodePwd" attribute. The syntax should be 
> okay (the "sambd.setpassword" call) since we have performed various 
> tests against Windows Server (2003, 2008, 2008R2). Here a link to the 
> MS-ADTS guide describing this circumstance: 
> Might the following constraint be the source of the problem?
>> Microsoft Windows® 2000 operating system servers require that the 
>> client have a 128-bit (or better) SSL/TLS-encrypted connection to the 
>> DC 
>> <> 
>> in order to modify this attribute. (unicodePwd)
> If yes, couldn't we try to perform the password set directly on the 
> entry-add operation?
> Matthias
> Andrew Bartlett wrote:
>> On Tue, 2011-11-08 at 13:10 -0500, Dave Hawkes wrote:
>>> Hi,
>>> Does anyone know if there is any progress on fixing the issues 
>>> mentioned
>>> in this post relating to joining an existing w2k ad domain?
>>> I did a quick scan in the repository and could not find anything that
>>> specifically addressed this.
>> I'm sorry, I never got a chance to fix that, and it got caught up in the
>> run-up to our annual event with Microsoft, where we were working on
>> multi-domain support.
>> The tasks to fix this (in case someone else wishes to take this on) are:
>>   - sort out the fetching of the error code (probably per the patch)
>>   - use SAMR to set the password on the account if we cannot set it over
>> LDAP (ie, catch the exception and retry with samr using the python
>> bindings).
>> Andrew Bartlett

More information about the samba-technical mailing list