[Samba] Changing active directory user password via LDAP

Tadas tadas at ring.lt
Wed Apr 30 12:30:48 MDT 2014 

Hmm, you are right. This script works. Now I just have to reverse-engineer 
it and find out, why my command-line does not work :)
Thank you for pointing this out.

-----Original Message----- 
From: IñigoMartinez Lasala
Sent: Wednesday, April 30, 2014 7:14 PM
To: tadas at ring.lt
Cc: samba at lists.samba.org
Subject: Re: [Samba] Changing active directory user password via LDAP

Try this:
https://code.google.com/p/ad-change-pass/

It worked for us.

----- Mensaje original -----
De: "Tadas" <tadas at ring.lt>
Para: samba at lists.samba.org
Enviados: Miércoles, 30 de Abril 2014 13:33:46
Asunto: [Samba] Changing active directory user password via LDAP

Hello, lists.

I'm struggling to find out, how one can change password of an active
directory (based on samba4) user via LDAP.

The problem is that if I try to use userPassword parameter:

dn: CN=John Smith,cn=Users,DC=domain,DC=com
changetype: modify
replace: userPassword
userPassword: newPassword

ldapmodify -v -c -a -f filename.ldif -H ldaps://server.domain.com -D\
administrator at domain.com -W \
ldap_initialize( ldaps://server.domain.com:636/??base )

Enter LDAP Password:
replace userPassword:
        newPassword
modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
modify complete

This seems to work, but does not affect user in any matter. As far as I
managed to find out, is that userPassword is not native Active Directory
attribute.
You must use unicodePwd attribute instead.
But then I get to another problem:


dn: CN=John Smith,cn=Users,DC=domain,DC=com
changetype: modify
replace: unicodePwd
unicodePwd: newPassword

ldapmodify -v -c -a -f filename.ldif -H\ ldaps://server.domain.com -D\
administrator at domain.com -W
ldap_initialize( ldaps://server.domain.com:636/??base )
Enter LDAP Password:
replace unicodePwd:
        newPassword
modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
ldap_modify: Server is unwilling to perform (53)
        additional info: 00002035: setup_io: it's not allowed to set the
NT hash password directly'

It seems, that samba4 does not allow to change this attribute directly.
So the question would be: is it possible to change AD user password via
LDAP, or this can only be done via samba tools and windows client?

Thank you.
-- 




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list