On Thu, 2004-08-19 at 07:01, Massimiliano Mirra wrote: > I'm migrating an AD service over to OpenLDAP. There will be a > transitional period where logins will still be served by AD, but > address book/mail/etc. will be authenticated against OpenLDAP, so I'd > like to provide the AD admins with a way of creating users in OpenLDAP > and having the change replicated in AD (most likely a web interface). > > All goes well for putting user data in AD. Not as well for activating > login for the user. > > I've tried the following ways: 1) creating an AD LDAP record that > closely matched the existing ones, and setting the password via > ldapmodify. User can't bind to AD nor to the DC via rpcclient. 2) > creating a user via rpcclient's createdomuser. Problem: how should > the password be set?
Try these with 'net rpc user' and 'net rpc password'. > I tried with net ads password, which reported > success, but logging via rpcclient to DC with password failed while > logging without succeeded. 3) I tried using net ads user add, getting > only `Server unwilling to perform'. > > I suspect the problem lies in AD not creating the kerberos principal > in neither of these cases; even after setting password through LDAP, > when requesting a ticket, kinit's response is: kinit (v5): Clients > credentials have been revoked while getting initial credentials. The > password changing mechanism works for existing users created on AD. > Or maybe the machine from where user creation requests originate must > have joined the AD domain? (In which case: do smbd and/or nmbd have > to run as well?) > > It is not show-stopping problem (I can always have the AD users to > first create a user in AD, grab it with some script and copy it over > to OpenLDAP, where attributes relevant to mail, groupware and such are > added). I'd like to sort this out, though. Another option might be to setup OpenLDAP to take simple binds, and PLAIN SASL binds, and have them redirected to pam_winbind, which can authenticate against AD. (Ok, that's quite a bit of config, but it should work...) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
