Joining W2k AD domain

Dave Hawkes daveh at cadlink.com
Wed Nov 9 08:38:33 MST 2011 

Hi Matthias,

Thanks for looking at this, I have some aging w2k authentication servers 
I'm looking at replacing so I'll give it a try again if the password 
issue looks resolved at some point.

Dave


On 09/11/2011 4:15 AM, Matthias Dieter Wallnöfer wrote:
> Hi Dave & Andrew,
>
> I have found a fix for your first issue. The error information level 
> has not been checked at all so the wrong information fields have been 
> accessed if we were on level 2: 
> http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=commitdiff;h=53dfb4592997e9c1fb874e77de227c34a645ac55
>
> The second issue seems strange since also Windows 2000 should support 
> password sets over the "unicodePwd" attribute. The syntax should be 
> okay (the "sambd.setpassword" call) since we have performed various 
> tests against Windows Server (2003, 2008, 2008R2). Here a link to the 
> MS-ADTS guide describing this circumstance: 
> http://msdn.microsoft.com/en-us/library/cc223248(v=PROT.10).aspx.
>
> Might the following constraint be the source of the problem?
>> Microsoft Windows® 2000 operating system servers require that the 
>> client have a 128-bit (or better) SSL/TLS-encrypted connection to the 
>> DC 
>> <http://msdn.microsoft.com/en-us/library/b645c125-a7da-4097-84a1-2fa7cea07714%28v=PROT.10%29#domain_controller> 
>> in order to modify this attribute. (unicodePwd)
> If yes, couldn't we try to perform the password set directly on the 
> entry-add operation?
>
> Matthias
>
> Andrew Bartlett wrote:
>> On Tue, 2011-11-08 at 13:10 -0500, Dave Hawkes wrote:
>>> Hi,
>>>
>>> Does anyone know if there is any progress on fixing the issues 
>>> mentioned
>>> in this post relating to joining an existing w2k ad domain?
>>>
>>> https://lists.samba.org/archive/samba-technical/2011-September/079244.html 
>>>
>>>
>>> I did a quick scan in the repository and could not find anything that
>>> specifically addressed this.
>> I'm sorry, I never got a chance to fix that, and it got caught up in the
>> run-up to our annual event with Microsoft, where we were working on
>> multi-domain support.
>>
>> The tasks to fix this (in case someone else wishes to take this on) are:
>>   - sort out the fetching of the error code (probably per the patch)
>>   - use SAMR to set the password on the account if we cannot set it over
>> LDAP (ie, catch the exception and retry with samr using the python
>> bindings).
>>
>> Andrew Bartlett
>>
>

More information about the samba-technical mailing list