[Samba] Setting AD password from Linux

[Massimiliano Mirra]

I'm migrating an AD service over to OpenLDAP.  There will be a
transitional period where logins will still be served by AD, but
address book/mail/etc. will be authenticated against OpenLDAP, so I'd
like to provide the AD admins with a way of creating users in OpenLDAP
and having the change replicated in AD (most likely a web interface).

All goes well for putting user data in AD.  Not as well for activating
login for the user.

I've tried the following ways: 1) creating an AD LDAP record that
closely matched the existing ones, and setting the password via
ldapmodify.  User can't bind to AD nor to the DC via rpcclient.  2)
creating a user via rpcclient's createdomuser.  Problem: how should
the password be set?  I tried with net ads password, which reported
success, but logging via rpcclient to DC with password failed while
logging without succeeded.  3) I tried using net ads user add, getting
only `Server unwilling to perform'.

I suspect the problem lies in AD not creating the kerberos principal
in neither of these cases; even after setting password through LDAP,
when requesting a ticket, kinit's response is: kinit (v5): Clients
credentials have been revoked while getting initial credentials.  The
password changing mechanism works for existing users created on AD.
Or maybe the machine from where user creation requests originate must
have joined the AD domain?  (In which case: do smbd and/or nmbd have
to run as well?)

It is not show-stopping problem (I can always have the AD users to
first create a user in AD, grab it with some script and copy it over
to OpenLDAP, where attributes relevant to mail, groupware and such are
added).  I'd like to sort this out, though.

Thanks for any insight.

Massimiliano