Samba4 samba-tool user create and setpassword issue with Windows PDC

Felix Wu mengxwu at gmail.com
Tue Mar 12 15:56:18 MDT 2013 

Hello everybody,

I'm relatively new with Samba and windows administration, and I have been
having some problems using samba-tool commands to create a user. I have a
Samba4 RODC set up and I'm trying to create a user remotely on a PDC
running Windows R2 2008 Server using the following samba-tool command (the
PDC server does not have LDAPS set up):

*samba-tool user create TestUser1 somePassword123 -H ldap://$REALM
-Uadministrator%$PASSWD*

But I keep getting the same ldb error, even after trying everything from
inserting quotation marks to ensuring that samba was encoding the password
in UTF-16LE and base64:

*ERROR(ldb): Failed to add user 'TestUser1 ':  - LDAP error 53
LDAP_UNWILLING_TO_PERFORM -  <0000001F: SvcErr: DSID-031A120C, problem 5003
(WILL_NOT_PERFORM), data 0*
*> <>*

The user however, still successfully gets created on the PDC, albeit
without a password. A little more investigating leads me to see that the
samba python scripts are failing at the setpassword() step of the user
creation flow:

*  File "/usr/local/samba/lib64/python2.6/site-packages/samba/samdb.py",
line 483, in setpassword*
*    self.modify_ldif(setpw)*

After looking extensively online, it seems that the error may be rooted in
the fact that any user password modification done remotely is required by
active directory to be done via SSL/TLS (this seems like a common
configuration problem), which we have not done, because this was meant to
be run as a test setup. The thing that gets me however, is that running the
samba-tool setpassword command using unsecured LDAP (port 389) modifies the
user's password successfully. The command in particular is:

*/usr/local/samba/bin/samba-tool user setpassword
--filter=samaccountname=TestUser1 --newpassword=somePassword123 -H
ldap://$REALM -Uadministrator%$PASSWD*
*
*
Another thing to note is that if I run user create without specifying ldap
as the remote target, then I get an error that says *"No RID Set DN -
Remote RID Set allocation needs ".*

Can anybody help me understand what is going on here? Why can't I set
password using the *user create* command, but I can using the
*setpassword* command?
Is this a bug, or am I just configuring something wrong, perhaps something
to do with trying to create a user via an RODC?

Thank you!
Meng

More information about the samba-technical mailing list