Hello, lists.
I'm struggling to find out, how one can change password of an active
directory (based on samba4) user via LDAP.
The problem is that if I try to use userPassword parameter:
dn: CN=John Smith,cn=Users,DC=domain,DC=com
changetype: modify
replace: userPassword
userPassword: newPassword
ldapmodify -v -c -a -f filename.ldif -H ldaps://server.domain.com -D\
administrator at domain.com -W \
ldap_initialize( ldaps://server.domain.com:636/??base )
Enter LDAP Password:
replace userPassword:
newPassword
modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
modify complete
This seems to work, but does not affect user in any matter. As far as I
managed to find out, is that userPassword is not native Active Directory
attribute.
You must use unicodePwd attribute instead.
But then I get to another problem:
dn: CN=John Smith,cn=Users,DC=domain,DC=com
changetype: modify
replace: unicodePwd
unicodePwd: newPassword
ldapmodify -v -c -a -f filename.ldif -H\ ldaps://server.domain.com -D\
administrator at domain.com -W
ldap_initialize( ldaps://server.domain.com:636/??base )
Enter LDAP Password:
replace unicodePwd:
newPassword
modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
ldap_modify: Server is unwilling to perform (53)
additional info: 00002035: setup_io: it's not allowed to set the
NT hash password directly'
It seems, that samba4 does not allow to change this attribute directly.
So the question would be: is it possible to change AD user password via
LDAP, or this can only be done via samba tools and windows client?
Thank you.
--
IƱigo Martinez Lasala
2014-Apr-30 16:14 UTC
[Samba] Changing active directory user password via LDAP
Try this:
https://code.google.com/p/ad-change-pass/
It worked for us.
----- Mensaje original -----
De: "Tadas" <tadas at ring.lt>
Para: samba at lists.samba.org
Enviados: Mi?rcoles, 30 de Abril 2014 13:33:46
Asunto: [Samba] Changing active directory user password via LDAP
Hello, lists.
I'm struggling to find out, how one can change password of an active
directory (based on samba4) user via LDAP.
The problem is that if I try to use userPassword parameter:
dn: CN=John Smith,cn=Users,DC=domain,DC=com
changetype: modify
replace: userPassword
userPassword: newPassword
ldapmodify -v -c -a -f filename.ldif -H ldaps://server.domain.com -D\
administrator at domain.com -W \
ldap_initialize( ldaps://server.domain.com:636/??base )
Enter LDAP Password:
replace userPassword:
newPassword
modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
modify complete
This seems to work, but does not affect user in any matter. As far as I
managed to find out, is that userPassword is not native Active Directory
attribute.
You must use unicodePwd attribute instead.
But then I get to another problem:
dn: CN=John Smith,cn=Users,DC=domain,DC=com
changetype: modify
replace: unicodePwd
unicodePwd: newPassword
ldapmodify -v -c -a -f filename.ldif -H\ ldaps://server.domain.com -D\
administrator at domain.com -W
ldap_initialize( ldaps://server.domain.com:636/??base )
Enter LDAP Password:
replace unicodePwd:
newPassword
modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
ldap_modify: Server is unwilling to perform (53)
additional info: 00002035: setup_io: it's not allowed to set the
NT hash password directly'
It seems, that samba4 does not allow to change this attribute directly.
So the question would be: is it possible to change AD user password via
LDAP, or this can only be done via samba tools and windows client?
Thank you.
--
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2014-May-01 03:00 UTC
[Samba] Changing active directory user password via LDAP
On Wed, 2014-04-30 at 14:33 +0300, Tadas wrote:> Hello, lists. > > I'm struggling to find out, how one can change password of an active > directory (based on samba4) user via LDAP. > > The problem is that if I try to use userPassword parameter: > > dn: CN=John Smith,cn=Users,DC=domain,DC=com > changetype: modify > replace: userPassword > userPassword: newPassword > > ldapmodify -v -c -a -f filename.ldif -H ldaps://server.domain.com -D\ > administrator at domain.com -W \ > ldap_initialize( ldaps://server.domain.com:636/??base ) > > Enter LDAP Password: > replace userPassword: > newPassword > modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com" > modify complete > > This seems to work, but does not affect user in any matter. As far as I > managed to find out, is that userPassword is not native Active Directory > attribute. > You must use unicodePwd attribute instead. > But then I get to another problem: > > > dn: CN=John Smith,cn=Users,DC=domain,DC=com > changetype: modify > replace: unicodePwd > unicodePwd: newPassword > > ldapmodify -v -c -a -f filename.ldif -H\ ldaps://server.domain.com -D\ > administrator at domain.com -W > ldap_initialize( ldaps://server.domain.com:636/??base ) > Enter LDAP Password: > replace unicodePwd: > newPassword > modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com" > ldap_modify: Server is unwilling to perform (53) > additional info: 00002035: setup_io: it's not allowed to set the > NT hash password directly' > > It seems, that samba4 does not allow to change this attribute directly. > So the question would be: is it possible to change AD user password via > LDAP, or this can only be done via samba tools and windows client?unicodePwd has to be set as a UTF-16 string surrounded by a UTF-16 " (yes really!) value on each side. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Possibly Parallel Threads
- Allow self password change using LDAP(s) with Samba4
- Allow self password change using LDAP(s) with Samba4
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- sambar4: user creation with ldap and initial password
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"