samba - Aug 2004 - Setting AD password from Linux

I'm migrating an AD service over to OpenLDAP.  There will be a
transitional period where logins will still be served by AD, but
address book/mail/etc. will be authenticated against OpenLDAP, so I'd
like to provide the AD admins with a way of creating users in OpenLDAP
and having the change replicated in AD (most likely a web interface).

All goes well for putting user data in AD.  Not as well for activating
login for the user.

I've tried the following ways: 1) creating an AD LDAP record that
closely matched the existing ones, and setting the password via
ldapmodify.  User can't bind to AD nor to the DC via rpcclient.  2)
creating a user via rpcclient's createdomuser.  Problem: how should
the password be set?  I tried with net ads password, which reported
success, but logging via rpcclient to DC with password failed while
logging without succeeded.  3) I tried using net ads user add, getting
only `Server unwilling to perform'.

I suspect the problem lies in AD not creating the kerberos principal
in neither of these cases; even after setting password through LDAP,
when requesting a ticket, kinit's response is: kinit (v5): Clients
credentials have been revoked while getting initial credentials.  The
password changing mechanism works for existing users created on AD.
Or maybe the machine from where user creation requests originate must
have joined the AD domain?  (In which case: do smbd and/or nmbd have
to run as well?)

It is not show-stopping problem (I can always have the AD users to
first create a user in AD, grab it with some script and copy it over
to OpenLDAP, where attributes relevant to mail, groupware and such are
added).  I'd like to sort this out, though.

Thanks for any insight.

Massimiliano

On Thu, 2004-08-19 at 07:01, Massimiliano Mirra wrote:
> I'm migrating an AD service over to OpenLDAP.  There will be a
> transitional period where logins will still be served by AD, but
> address book/mail/etc. will be authenticated against OpenLDAP, so I'd
> like to provide the AD admins with a way of creating users in OpenLDAP
> and having the change replicated in AD (most likely a web interface).
> 
> All goes well for putting user data in AD.  Not as well for activating
> login for the user.
> 
> I've tried the following ways: 1) creating an AD LDAP record that
> closely matched the existing ones, and setting the password via
> ldapmodify.  User can't bind to AD nor to the DC via rpcclient.  2)
> creating a user via rpcclient's createdomuser.  Problem: how should
> the password be set?  
Try these with 'net rpc user' and 'net rpc password'. 
> I tried with net ads password, which reported
> success, but logging via rpcclient to DC with password failed while
> logging without succeeded.  3) I tried using net ads user add, getting
> only `Server unwilling to perform'.
> 
> I suspect the problem lies in AD not creating the kerberos principal
> in neither of these cases; even after setting password through LDAP,
> when requesting a ticket, kinit's response is: kinit (v5): Clients
> credentials have been revoked while getting initial credentials.  The
> password changing mechanism works for existing users created on AD.
> Or maybe the machine from where user creation requests originate must
> have joined the AD domain?  (In which case: do smbd and/or nmbd have
> to run as well?)
> 
> It is not show-stopping problem (I can always have the AD users to
> first create a user in AD, grab it with some script and copy it over
> to OpenLDAP, where attributes relevant to mail, groupware and such are
> added).  I'd like to sort this out, though.
Another option might be to setup OpenLDAP to take simple binds, and
PLAIN SASL binds, and have them redirected to pam_winbind, which can
authenticate against AD.  (Ok, that's quite a bit of config, but it
should work...)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040819/1985f03f/attachment.bin