[Samba] LDAP Extended attributes and dsheuristics
Andrew Bartlett
abartlet at samba.org
Tue May 30 19:04:07 UTC 2023
On Tue, 2023-05-30 at 11:23 -0400, Ben Curtis via samba wrote:
> Hi all,
>
> I can only find posts about extended attributes from ~10 years ago,
> so
> I figured I'd ask this here. I get the following error when trying to
> change passwords on my Samba 4.7 AD via LDAP:
>
> ```
> ldap_exop_passwd(): Passwd modify extended operation failed: Extended
> Operation(1.3.6.1.4.1.4203.1.11.1) not supported
> ```
>
> Is this feature (1.3.6.1.4.1.4203.1.11.1) still not supported?
This feature has never been seen on Active Directory DCs, and Samba has
not had a patch for this contributed.
We would welcome such a feature, but note it would need to be quite
carefully implemented and tested to ensure it honours all the
appropriate ACLs.
> Also, I
> have tried setting dsHeuristics for iutem 9 (fUserPwdSupport) to 1
> with:
>
> ```
> samba-tool forest directory_service dsheuristics 000000001
> ```
>
> But there doesn't seem to be a way to get it to reset to "default
> value" (empty). Any ideas how I would do that?
All-zeros will be the default, but aside from wanting to match a
Windows 2000 era behaviour exactly, fUserPwdSupport makes more sense in
general. Sometime we should allow Samba to have a 'match Windows exactly' vs 'be more useful' provision-time knob.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list