Am 05.11.2012 04:31, schrieb Andrew Bartlett:
On Thu, 2012-11-01 at 12:44 +0000, Thomas Mueller wrote:
hi
trying to create a user with ldap from a remote server. The user is
created successfully. I'm failing setting the initial password.
Setting the unicodePwd with kerberos administrator credentials with
ldbmodify and the ldif below results in "00002035: setup_io: it's not
allowed to set the NT hash password directly".
searching the web I've found s4 mailinglist entries telling "do not set
unicodePwd with ldap". this KB article tells in AD it's possible to set
it: http://support.microsoft.com/kb/263991/en-us
Is there a supported method to supply the initial user password with s4
and ldap?
- Thomas
LDIF:
dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
changetype: modify
replace: unicodePwd
unicodePwd:: $IlRlc3QxMjMtLSIK
To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
i was using the following command to address this utf16-le requirement:
echo \"PASSWORD\" | iconv -t UTF16LE | base64
See however the userPassword, which is a normal, utf8 unquoted string
(ie, sane :-)
Just tried it. Problems:
1) the userPassword attribute is plaintext readable with ldap afterwards
2) the kerberos password is not set ("kinit user" fails)
- Thomas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
