[Samba] Changing active directory user password via LDAP

Andrew Bartlett abartlet at samba.org
Wed Apr 30 21:00:02 MDT 2014 

On Wed, 2014-04-30 at 14:33 +0300, Tadas wrote:
> Hello, lists.
> 
> I'm struggling to find out, how one can change password of an active
> directory (based on samba4) user via LDAP.
> 
> The problem is that if I try to use userPassword parameter:
> 
> dn: CN=John Smith,cn=Users,DC=domain,DC=com
> changetype: modify
> replace: userPassword
> userPassword: newPassword
> 
> ldapmodify -v -c -a -f filename.ldif -H ldaps://server.domain.com -D\
> administrator at domain.com -W \
> ldap_initialize( ldaps://server.domain.com:636/??base )
> 
> Enter LDAP Password: 
> replace userPassword:
>         newPassword
> modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
> modify complete
> 
> This seems to work, but does not affect user in any matter. As far as I
> managed to find out, is that userPassword is not native Active Directory
> attribute.
> You must use unicodePwd attribute instead.
> But then I get to another problem:
> 
> 
> dn: CN=John Smith,cn=Users,DC=domain,DC=com
> changetype: modify
> replace: unicodePwd
> unicodePwd: newPassword
> 
> ldapmodify -v -c -a -f filename.ldif -H\ ldaps://server.domain.com -D\
> administrator at domain.com -W 
> ldap_initialize( ldaps://server.domain.com:636/??base )
> Enter LDAP Password: 
> replace unicodePwd:
>         newPassword
> modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
> ldap_modify: Server is unwilling to perform (53)
>         additional info: 00002035: setup_io: it's not allowed to set the
> NT hash password directly'
> 
> It seems, that samba4 does not allow to change this attribute directly.
> So the question would be: is it possible to change AD user password via
> LDAP, or this can only be done via samba tools and windows client?

unicodePwd has to be set as a UTF-16 string surrounded by a UTF-16
" (yes really!) value on each side.  

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list