[Samba] Creating domain users in AD from Linux

Massimiliano Mirra list2 at chromaticharp.com
Fri Aug 20 09:24:33 GMT 2004 

Here are my findings.  Keywords for Google and for those who, like me,
did not find useful references: create user domain ldap active
directory ad linux rpcclient net ads rpc account enable enabled login
bind.

Background: we're migrating users from AD to OpenLDAP; for a period
the two have to coexist, because AD authenticates logins, OpenLDAP
authenticates mail.  My aim is to provide a single user
creation/password setting interface for both in the form of a CGI.
This rules out using Windows GUI tools.

The problem was creating a user from Linux.  `net ads user add'
wouldn't work, then I tried `net rpc user add' (thanks to Andrew
Bartlett for suggesting it) and it worked.

    $ net rpc user add foobar -S pdcname -Uadmin%adminpassword

Two things left: password and (as I discovered later)
userAccountControl.

`net rpc password' did not work, `net ads password' did (go figure).

    $ net ads password foobar secret -S pdcname -Uadminname%adminpassword

Also doing that with ldapmodify works:

    $ cat >changepwd.ldif
    dn: CN=foobar,CN=Users,DC=yoursite,DC=com
    changetype: modify
    replace: unicodePwd

    $ cleartext2unicodepwd secret >>changepwd.ldif
    $ cat changepwd.ldif
    dn: CN=foobar,CN=Users,DC=yoursite,DC=com
    changetype: modify
    replace: unicodePwd
    unicodePwd::IgBzAGUAYwByAGUAdAAiAA==
    $ kinit adminname
    Password for adminname at SITE.COM: 
    $ ldapmodify -H ldap://activedirectory.site.com -D \
      cn=adminname,cn=users,dc=site,dc=com -f changepwd.ldif

`kinit adminname' was necessary because otherwise AD won't let set
password over an unencrypted channel.  Another option is LDAP over
SSL, if you can get it to work (we couldn't).

For the cleartext2unicodepwd script, see below.

Last thing, userAccountControl.  This attribute is a mask with the
following possible values:

    ADS_UF_ACCOUNTDISABLE = 0x0002    Disable user account
    ADS_UF_PASSWD_NOTREQD = 0x0020    No password is required
    ADS_UF_NORMAL_ACCOUNT = 0x0200    Typical user account

The previously created user got a value of `546' (i.e. 0x0222).  I set
it to `512' (0x0200):

    $ cat >uac.ldif
    dn: CN=foobar,CN=Users,DC=yoursite,DC=com
    changetype: modify
    replace: userAccountControl
    userAccountControl: 512

...ldapmodify as above.

Done.  Last thing to understand will be why users created with Windows
tools get a userAccountControl value of 66048, but things work nicely
already.

This is the `cleartext2unicodepwd' script:

#!/usr/bin/env ruby

require "base64"

def cleartext2unicode(cleartextpwd)
  quotepwd = '"' + cleartextpwd + '"'
  unicodepwd = quotepwd.split('').join("\0") + "\0"
  return Base64.encode64(unicodepwd)
end

if ARGV.length == 1
  cleartextpwd = ARGV.shift
  puts "unicodePwd::" + cleartext2unicode(cleartextpwd)
end


Cheers
Massimiliano

More information about the samba mailing list