[Samba] Changing active directory user password via LDAP
Tadas
tadas at ring.lt
Wed Apr 30 05:33:46 MDT 2014
Hello, lists.
I'm struggling to find out, how one can change password of an active
directory (based on samba4) user via LDAP.
The problem is that if I try to use userPassword parameter:
dn: CN=John Smith,cn=Users,DC=domain,DC=com
changetype: modify
replace: userPassword
userPassword: newPassword
ldapmodify -v -c -a -f filename.ldif -H ldaps://server.domain.com -D\
administrator at domain.com -W \
ldap_initialize( ldaps://server.domain.com:636/??base )
Enter LDAP Password:
replace userPassword:
newPassword
modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
modify complete
This seems to work, but does not affect user in any matter. As far as I
managed to find out, is that userPassword is not native Active Directory
attribute.
You must use unicodePwd attribute instead.
But then I get to another problem:
dn: CN=John Smith,cn=Users,DC=domain,DC=com
changetype: modify
replace: unicodePwd
unicodePwd: newPassword
ldapmodify -v -c -a -f filename.ldif -H\ ldaps://server.domain.com -D\
administrator at domain.com -W
ldap_initialize( ldaps://server.domain.com:636/??base )
Enter LDAP Password:
replace unicodePwd:
newPassword
modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
ldap_modify: Server is unwilling to perform (53)
additional info: 00002035: setup_io: it's not allowed to set the
NT hash password directly'
It seems, that samba4 does not allow to change this attribute directly.
So the question would be: is it possible to change AD user password via
LDAP, or this can only be done via samba tools and windows client?
Thank you.
--
More information about the samba
mailing list