[Samba] sambar4: user creation with ldap and initial password
Thomas Mueller
thomas at chaschperli.ch
Mon Nov 5 00:18:06 MST 2012
Am 05.11.2012 04:31, schrieb Andrew Bartlett:
> On Thu, 2012-11-01 at 12:44 +0000, Thomas Mueller wrote:
>> hi
>>
>> trying to create a user with ldap from a remote server. The user is
>> created successfully. I'm failing setting the initial password.
>>
>> Setting the unicodePwd with kerberos administrator credentials with
>> ldbmodify and the ldif below results in "00002035: setup_io: it's not
>> allowed to set the NT hash password directly".
>>
>> searching the web I've found s4 mailinglist entries telling "do not set
>> unicodePwd with ldap". this KB article tells in AD it's possible to set
>> it: http://support.microsoft.com/kb/263991/en-us
>>
>> Is there a supported method to supply the initial user password with s4
>> and ldap?
>>
>> - Thomas
>>
>> LDIF:
>> dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
>> changetype: modify
>> replace: unicodePwd
>> unicodePwd:: $IlRlc3QxMjMtLSIK
> To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
i was using the following command to address this utf16-le requirement:
echo \"PASSWORD\" | iconv -t UTF16LE | base64
> See however the userPassword, which is a normal, utf8 unquoted string
> (ie, sane :-)
Just tried it. Problems:
1) the userPassword attribute is plaintext readable with ldap afterwards
2) the kerberos password is not set ("kinit user" fails)
- Thomas
More information about the samba
mailing list