Am 05.11.2012 08:28, schrieb Andrew Bartlett:
On Mon, 2012-11-05 at 08:18 +0100, Thomas Mueller wrote:
Am 05.11.2012 04:31, schrieb Andrew Bartlett:
On Thu, 2012-11-01 at 12:44 +0000, Thomas Mueller wrote:
hi
trying to create a user with ldap from a remote server. The user is
created successfully. I'm failing setting the initial password.
Setting the unicodePwd with kerberos administrator credentials with
ldbmodify and the ldif below results in "00002035: setup_io: it's not
allowed to set the NT hash password directly".
searching the web I've found s4 mailinglist entries telling "do not set
unicodePwd with ldap". this KB article tells in AD it's possible to set
it: http://support.microsoft.com/kb/263991/en-us
Is there a supported method to supply the initial user password with s4
and ldap?
- Thomas
LDIF:
dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
changetype: modify
replace: unicodePwd
unicodePwd:: $IlRlc3QxMjMtLSIK
To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
i was using the following command to address this utf16-le requirement:
echo \"PASSWORD\" | iconv -t UTF16LE | base64
Either way, the base64 string just doesn't look long enough for that.
This seems closer:
//4iAFQAZQBzAHQAMQAyADMALQAtACIA
See however the userPassword, which is a normal, utf8 unquoted string
(ie, sane :-)
Just tried it. Problems:
1) the userPassword attribute is plaintext readable with ldap afterwards
2) the kerberos password is not set ("kinit user" fails)
You may not have the userPassword feature enabled. It's odd that we let
it stick in ldap however - can you confirm exactly what AD does here, so
I can match it?
I do not have a AD available today , i'll try tomorrow. i've found this
about the userPassword attribute on msdn:
http://msdn.microsoft.com/en-us/library/cc223249(prot.20).aspx
<http://msdn.microsoft.com/en-us/library/cc223249%28prot.20%29.aspx>
searching the sourcecode about userPassword i've found this comment in
password_hash.c:
* Notice: unlike the real AD which only supports the UTF16 special based
* 'unicodePwd' and the UTF8 based 'userPassword' plaintext attribute we
* understand also a UTF16 based 'clearTextPassword' one.
* The latter is also accessible through LDAP so it can also be set by
external
* tools and scripts. But be aware that this isn't portable on non
SAMBA 4 ADs!
"The latter is also accessible through LDAP" implies that unicodePwd and
userPassword aren't.
- Thomas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
