[Samba] Creating domain users in AD from Linux
list2 at chromaticharp.com
Fri Aug 20 09:24:33 GMT 2004
Here are my findings. Keywords for Google and for those who, like me,
did not find useful references: create user domain ldap active
directory ad linux rpcclient net ads rpc account enable enabled login
Background: we're migrating users from AD to OpenLDAP; for a period
the two have to coexist, because AD authenticates logins, OpenLDAP
authenticates mail. My aim is to provide a single user
creation/password setting interface for both in the form of a CGI.
This rules out using Windows GUI tools.
The problem was creating a user from Linux. `net ads user add'
wouldn't work, then I tried `net rpc user add' (thanks to Andrew
Bartlett for suggesting it) and it worked.
$ net rpc user add foobar -S pdcname -Uadmin%adminpassword
Two things left: password and (as I discovered later)
`net rpc password' did not work, `net ads password' did (go figure).
$ net ads password foobar secret -S pdcname -Uadminname%adminpassword
Also doing that with ldapmodify works:
$ cat >changepwd.ldif
$ cleartext2unicodepwd secret >>changepwd.ldif
$ cat changepwd.ldif
$ kinit adminname
Password for adminname at SITE.COM:
$ ldapmodify -H ldap://activedirectory.site.com -D \
cn=adminname,cn=users,dc=site,dc=com -f changepwd.ldif
`kinit adminname' was necessary because otherwise AD won't let set
password over an unencrypted channel. Another option is LDAP over
SSL, if you can get it to work (we couldn't).
For the cleartext2unicodepwd script, see below.
Last thing, userAccountControl. This attribute is a mask with the
following possible values:
ADS_UF_ACCOUNTDISABLE = 0x0002 Disable user account
ADS_UF_PASSWD_NOTREQD = 0x0020 No password is required
ADS_UF_NORMAL_ACCOUNT = 0x0200 Typical user account
The previously created user got a value of `546' (i.e. 0x0222). I set
it to `512' (0x0200):
$ cat >uac.ldif
...ldapmodify as above.
Done. Last thing to understand will be why users created with Windows
tools get a userAccountControl value of 66048, but things work nicely
This is the `cleartext2unicodepwd' script:
quotepwd = '"' + cleartextpwd + '"'
unicodepwd = quotepwd.split('').join("\0") + "\0"
if ARGV.length == 1
cleartextpwd = ARGV.shift
puts "unicodePwd::" + cleartext2unicode(cleartextpwd)
More information about the samba