[Samba] Setting AD password from Linux

Andrew Bartlett abartlet at samba.org
Wed Aug 18 23:10:04 GMT 2004 

On Thu, 2004-08-19 at 07:01, Massimiliano Mirra wrote:
> I'm migrating an AD service over to OpenLDAP.  There will be a
> transitional period where logins will still be served by AD, but
> address book/mail/etc. will be authenticated against OpenLDAP, so I'd
> like to provide the AD admins with a way of creating users in OpenLDAP
> and having the change replicated in AD (most likely a web interface).
> 
> All goes well for putting user data in AD.  Not as well for activating
> login for the user.
> 
> I've tried the following ways: 1) creating an AD LDAP record that
> closely matched the existing ones, and setting the password via
> ldapmodify.  User can't bind to AD nor to the DC via rpcclient.  2)
> creating a user via rpcclient's createdomuser.  Problem: how should
> the password be set?  

Try these with 'net rpc user' and 'net rpc password'. 

> I tried with net ads password, which reported
> success, but logging via rpcclient to DC with password failed while
> logging without succeeded.  3) I tried using net ads user add, getting
> only `Server unwilling to perform'.
> 
> I suspect the problem lies in AD not creating the kerberos principal
> in neither of these cases; even after setting password through LDAP,
> when requesting a ticket, kinit's response is: kinit (v5): Clients
> credentials have been revoked while getting initial credentials.  The
> password changing mechanism works for existing users created on AD.
> Or maybe the machine from where user creation requests originate must
> have joined the AD domain?  (In which case: do smbd and/or nmbd have
> to run as well?)
> 
> It is not show-stopping problem (I can always have the AD users to
> first create a user in AD, grab it with some script and copy it over
> to OpenLDAP, where attributes relevant to mail, groupware and such are
> added).  I'd like to sort this out, though.

Another option might be to setup OpenLDAP to take simple binds, and
PLAIN SASL binds, and have them redirected to pam_winbind, which can
authenticate against AD.  (Ok, that's quite a bit of config, but it
should work...)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040819/1985f03f/attachment.bin

More information about the samba mailing list