[Samba] heimdal and windows compatibility up-to-date informations
Guillaume.Rousse at inria.fr
Wed Oct 8 10:54:48 GMT 2008
I'm back on this old question, because I'm now really working on it.
Andrew Bartlett a écrit :
>> Second, I was looking at better way to sync users accounts between our
>> new ldap-backed heimdal kdc and our windows AD. Currently, we have an
>> automated task synchronising user entries into Windows LDAP from our
>> Unix LDAP hourly, and a password-management CGI propagating password
>> changes to both systems (using an ugly VB CGI on windows side to
>> effectively change the password). I was wondering if the password
>> handling stuff could be merged with the ldap synchronisation task, now
>> we store kerberos keys in LDAP.
> Windows does not allow the password attributes to be manipulated like
> that. You could potentially read and set passwords with Samba4's
> DRSUAPI synchronisation, but you can't do it with just Heimdal or just
I succeded setting or changing the unicodePwd attribute in AD, through
pure LDAP operation. It allows me to pass autentication when trying to
open a remote desktop sessions (which immediatly fails for authorization
issue). But I guess it isn't enough to handle the kerberos part of AD
From http://wiki.samba.org/index.php/Samba4/ActiveDirectory#DRSUAPI, it
seems than this API is far from being usable now.
>> As I doubt from your answer it's not, I'm still interested about best
>> way to handle AD user accounts remotely, without local windows code
>> relay. Is there any issue directly modifying AD base through LDAP
>> connection ? My windows colleage currently prefers to dump LDIF entries,
>> and import them through a windows-specific tool. And how to set windows
>> password from perl code ? I'm currently biased toward using an external
>> smbpassword call, but maybe are they better ways.
> You could certainly run Samba tools to set the user's password, if you
Well, smbpassword (from samba 3) allows one user to change its password,
provided he knows its current one. But from the man page, it seems
impossible to use it with a privilegiated account (member of account
operation group) to change someone's else password against an AD controller.
So, am I missing something if I use ldap operation to at least set up an
initial password for the user, then have him use smbpassword to make it
fully operational ?
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
More information about the samba