Hello @ll, I have a general question to Active Directory (AD), not directly concerning samba, but I think the experts of this list know the answer. At my scope: I'm using a Windows XP PC which is logged on using Microsoft AD domain and Kerberos (normal procedure). I want to find out the BindDN and - if possible the appropriate password - for using it for a query with the Linux tool "ldapsearch". The problem is that I haven't an admin-access to AD-server. (1) Where are BindDN (and password) saved (e.g. Windows registry)? (2) Which encryption (e.g. none, SSL, TLS) is used by microsoft for the AD-queries (standard Windows login over an AD-domain)? (3) Can I use Ethereal for grep this information? If the answer is "YES", what to do, to force Windows execute an login situation (e.g. program -> execute as ...)? Much thanks in advance. Best regards Philippe Stellwag -- Siemens AG A&D MC RD3 Frauenauracher Str. 80 91056 Erlangen Tel.: +49 (9131) 98-3972 Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Heinrich v. Pierer; Managing Board: Klaus Kleinfeld, Chairman, President and Chief Executive Officer; Johannes Feldmayer, Joe Kaeser, Rudi Lamprecht, Eduardo Montes, Juergen Radomski, Erich R. Reinhardt, Hermann Requardt, Uriel J. Sharef, Klaus Wucherer Registered offices: Berlin and Munich Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684 WEEE Reg. No. DE 23691322
On Thu, 26 Apr 2007, Stellwag, Philippe wrote:> Hello @ll, > > I have a general question to Active Directory (AD), not directly > concerning samba, but I think the experts of this list know the answer. > > At my scope: I'm using a Windows XP PC which is logged on using > Microsoft AD domain and Kerberos (normal procedure). I want to find out > the BindDN and - if possible the appropriate password - for using it for > a query with the Linux tool "ldapsearch". The problem is that I haven't > an admin-access to AD-server. > > (1) Where are BindDN (and password) saved (e.g. Windows registry)?If you can view your AD domain using the Active Directory Users and Computers MMC snap-in (you don't need admin access for this), then you can determine the DN of a user. Find the user and the container (OU) it is located in. The DN will be of the form: cn=<username>,ou=<some_container>,dc=<domain>,dc=example,dc=com> (2) Which encryption (e.g. none, SSL, TLS) is used by microsoft for the > AD-queries (standard Windows login over an AD-domain)?AD domain controllers listen on the standard LDAPS port (636) and will only accept binds on that port. You cannot bind as a user on port 389. I don't think they support TLS on port 389, but I have no tried in a long time.> (3) Can I use Ethereal for grep this information? If the answer is > "YES", what to do, to force Windows execute an login situation (e.g. > program -> execute as ...)?Windows AD clients will use Kerberos to authenticate, not LDAP, so you won't be able to capture the information you need that way. Andy