I'm migrating an AD service over to OpenLDAP. There will be a transitional period where logins will still be served by AD, but address book/mail/etc. will be authenticated against OpenLDAP, so I'd like to provide the AD admins with a way of creating users in OpenLDAP and having the change replicated in AD (most likely a web interface).
All goes well for putting user data in AD. Not as well for activating login for the user. I've tried the following ways: 1) creating an AD LDAP record that closely matched the existing ones, and setting the password via ldapmodify. User can't bind to AD nor to the DC via rpcclient. 2) creating a user via rpcclient's createdomuser. Problem: how should the password be set? I tried with net ads password, which reported success, but logging via rpcclient to DC with password failed while logging without succeeded. 3) I tried using net ads user add, getting only `Server unwilling to perform'. I suspect the problem lies in AD not creating the kerberos principal in neither of these cases; even after setting password through LDAP, when requesting a ticket, kinit's response is: kinit (v5): Clients credentials have been revoked while getting initial credentials. The password changing mechanism works for existing users created on AD. Or maybe the machine from where user creation requests originate must have joined the AD domain? (In which case: do smbd and/or nmbd have to run as well?) It is not show-stopping problem (I can always have the AD users to first create a user in AD, grab it with some script and copy it over to OpenLDAP, where attributes relevant to mail, groupware and such are added). I'd like to sort this out, though. Thanks for any insight. Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
