Hi all, I can only find posts about extended attributes from ~10 years ago, so I figured I'd ask this here. I get the following error when trying to change passwords on my Samba 4.7 AD via LDAP: ``` ldap_exop_passwd(): Passwd modify extended operation failed: Extended Operation(1.3.6.1.4.1.4203.1.11.1) not supported ``` Is this feature (1.3.6.1.4.1.4203.1.11.1) still not supported? Also, I have tried setting dsHeuristics for iutem 9 (fUserPwdSupport) to 1 with: ``` samba-tool forest directory_service dsheuristics 000000001 ``` But there doesn't seem to be a way to get it to reset to "default value" (empty). Any ideas how I would do that? Thanks, Ben
On 30/05/2023 16:23, Ben Curtis via samba wrote:> Hi all, > > I can only find posts about extended attributes from ~10 years ago, so > I figured I'd ask this here. I get the following error when trying to > change passwords on my Samba 4.7 AD via LDAP:Samba 4.7.x is very long in the tooth now and you really should upgrade. You can only change an AD password over LDAPS> > ``` > ldap_exop_passwd(): Passwd modify extended operation failed: Extended > Operation(1.3.6.1.4.1.4203.1.11.1) not supportedIsn't that OID an openldap style of thing ?> ``` > > Is this feature (1.3.6.1.4.1.4203.1.11.1) still not supported? Also, I > have tried setting dsHeuristics for iutem 9 (fUserPwdSupport) to 1 > with: > > ``` > samba-tool forest directory_service dsheuristics 000000001I do not think that is going to help.> ``` > > But there doesn't seem to be a way to get it to reset to "default > value" (empty). Any ideas how I would do that?What attribute are you trying to set/change ? A users password is stored in the 'unicodePwd' attribute this cannot be read, only modified with a value. Also, you have to base64 encode the password in a special way. It will problem help if you can explain just what you are trying to achieve and why. Rowland
On Tue, 2023-05-30 at 11:23 -0400, Ben Curtis via samba wrote:> Hi all, > > I can only find posts about extended attributes from ~10 years ago, > so > I figured I'd ask this here. I get the following error when trying to > change passwords on my Samba 4.7 AD via LDAP: > > ``` > ldap_exop_passwd(): Passwd modify extended operation failed: Extended > Operation(1.3.6.1.4.1.4203.1.11.1) not supported > ``` > > Is this feature (1.3.6.1.4.1.4203.1.11.1) still not supported?This feature has never been seen on Active Directory DCs, and Samba has not had a patch for this contributed. We would welcome such a feature, but note it would need to be quite carefully implemented and tested to ensure it honours all the appropriate ACLs.> Also, I > have tried setting dsHeuristics for iutem 9 (fUserPwdSupport) to 1 > with: > > ``` > samba-tool forest directory_service dsheuristics 000000001 > ``` > > But there doesn't seem to be a way to get it to reset to "default > value" (empty). Any ideas how I would do that?All-zeros will be the default, but aside from wanting to match a Windows 2000 era behaviour exactly, fUserPwdSupport makes more sense in general. Sometime we should allow Samba to have a 'match Windows exactly' vs 'be more useful' provision-time knob. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Possibly Parallel Threads
- LDAP Extended attributes and dsheuristics
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"