[Samba] BindDN and password for Active Directory

Andrew Morgan morgan at orst.edu
Thu Apr 26 16:46:00 GMT 2007

On Thu, 26 Apr 2007, Stellwag, Philippe wrote:

> Hello @ll,
> I have a general question to Active Directory (AD), not directly
> concerning samba, but I think the experts of this list know the answer.
> At my scope: I'm using a Windows XP PC which is logged on using
> Microsoft AD domain and Kerberos (normal procedure). I want to find out
> the BindDN and - if possible the appropriate password - for using it for
> a query with the Linux tool "ldapsearch". The problem is that I haven't
> an admin-access to AD-server.
> (1) Where are BindDN (and password) saved (e.g. Windows registry)?

If you can view your AD domain using the Active Directory Users and 
Computers MMC snap-in (you don't need admin access for this), then you can 
determine the DN of a user.  Find the user and the container (OU) it is 
located in.  The DN will be of the form:


> (2) Which encryption (e.g. none, SSL, TLS) is used by microsoft for the
> AD-queries (standard Windows login over an AD-domain)?

AD domain controllers listen on the standard LDAPS port (636) and will 
only accept binds on that port.  You cannot bind as a user on port 389.  I 
don't think they support TLS on port 389, but I have no tried in a long 

> (3) Can I use Ethereal for grep this information? If the answer is
> "YES", what to do, to force Windows execute an login situation (e.g.
> program -> execute as ...)?

Windows AD clients will use Kerberos to authenticate, not LDAP, so you 
won't be able to capture the information you need that way.


More information about the samba mailing list