Joining W2k AD domain
daveh at cadlink.com
Wed Nov 9 08:38:33 MST 2011
Thanks for looking at this, I have some aging w2k authentication servers
I'm looking at replacing so I'll give it a try again if the password
issue looks resolved at some point.
On 09/11/2011 4:15 AM, Matthias Dieter Wallnöfer wrote:
> Hi Dave & Andrew,
> I have found a fix for your first issue. The error information level
> has not been checked at all so the wrong information fields have been
> accessed if we were on level 2:
> The second issue seems strange since also Windows 2000 should support
> password sets over the "unicodePwd" attribute. The syntax should be
> okay (the "sambd.setpassword" call) since we have performed various
> tests against Windows Server (2003, 2008, 2008R2). Here a link to the
> MS-ADTS guide describing this circumstance:
> Might the following constraint be the source of the problem?
>> Microsoft Windows® 2000 operating system servers require that the
>> client have a 128-bit (or better) SSL/TLS-encrypted connection to the
>> in order to modify this attribute. (unicodePwd)
> If yes, couldn't we try to perform the password set directly on the
> entry-add operation?
> Andrew Bartlett wrote:
>> On Tue, 2011-11-08 at 13:10 -0500, Dave Hawkes wrote:
>>> Does anyone know if there is any progress on fixing the issues
>>> in this post relating to joining an existing w2k ad domain?
>>> I did a quick scan in the repository and could not find anything that
>>> specifically addressed this.
>> I'm sorry, I never got a chance to fix that, and it got caught up in the
>> run-up to our annual event with Microsoft, where we were working on
>> multi-domain support.
>> The tasks to fix this (in case someone else wishes to take this on) are:
>> - sort out the fetching of the error code (probably per the patch)
>> - use SAMR to set the password on the account if we cannot set it over
>> LDAP (ie, catch the exception and retry with samr using the python
>> Andrew Bartlett
More information about the samba-technical