[Samba] sambar4: user creation with ldap and initial password
Thomas Mueller
thomas at chaschperli.ch
Mon Nov 5 01:43:09 MST 2012
Am 05.11.2012 08:28, schrieb Andrew Bartlett:
> On Mon, 2012-11-05 at 08:18 +0100, Thomas Mueller wrote:
>> Am 05.11.2012 04:31, schrieb Andrew Bartlett:
>>> On Thu, 2012-11-01 at 12:44 +0000, Thomas Mueller wrote:
>>>> hi
>>>>
>>>> trying to create a user with ldap from a remote server. The user is
>>>> created successfully. I'm failing setting the initial password.
>>>>
>>>> Setting the unicodePwd with kerberos administrator credentials with
>>>> ldbmodify and the ldif below results in "00002035: setup_io: it's not
>>>> allowed to set the NT hash password directly".
>>>>
>>>> searching the web I've found s4 mailinglist entries telling "do not set
>>>> unicodePwd with ldap". this KB article tells in AD it's possible to set
>>>> it: http://support.microsoft.com/kb/263991/en-us
>>>>
>>>> Is there a supported method to supply the initial user password with s4
>>>> and ldap?
>>>>
>>>> - Thomas
>>>>
>>>> LDIF:
>>>> dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
>>>> changetype: modify
>>>> replace: unicodePwd
>>>> unicodePwd:: $IlRlc3QxMjMtLSIK
>>> To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
>> i was using the following command to address this utf16-le requirement:
>>
>> echo \"PASSWORD\" | iconv -t UTF16LE | base64
> Either way, the base64 string just doesn't look long enough for that.
>
> This seems closer:
> //4iAFQAZQBzAHQAMQAyADMALQAtACIA
>
>>> See however the userPassword, which is a normal, utf8 unquoted string
>>> (ie, sane :-)
>> Just tried it. Problems:
>>
>> 1) the userPassword attribute is plaintext readable with ldap afterwards
>> 2) the kerberos password is not set ("kinit user" fails)
> You may not have the userPassword feature enabled. It's odd that we let
> it stick in ldap however - can you confirm exactly what AD does here, so
> I can match it?
I do not have a AD available today , i'll try tomorrow. i've found this
about the userPassword attribute on msdn:
http://msdn.microsoft.com/en-us/library/cc223249(prot.20).aspx
<http://msdn.microsoft.com/en-us/library/cc223249%28prot.20%29.aspx>
searching the sourcecode about userPassword i've found this comment in
password_hash.c:
* Notice: unlike the real AD which only supports the UTF16 special based
* 'unicodePwd' and the UTF8 based 'userPassword' plaintext attribute we
* understand also a UTF16 based 'clearTextPassword' one.
* The latter is also accessible through LDAP so it can also be set by
external
* tools and scripts. But be aware that this isn't portable on non
SAMBA 4 ADs!
"The latter is also accessible through LDAP" implies that unicodePwd and
userPassword aren't.
- Thomas
More information about the samba
mailing list