Here are my findings. Keywords for Google and for those who, like me, did not find useful references: create user domain ldap active directory ad linux rpcclient net ads rpc account enable enabled login bind.
Background: we're migrating users from AD to OpenLDAP; for a period the two have to coexist, because AD authenticates logins, OpenLDAP authenticates mail. My aim is to provide a single user creation/password setting interface for both in the form of a CGI. This rules out using Windows GUI tools. The problem was creating a user from Linux. `net ads user add' wouldn't work, then I tried `net rpc user add' (thanks to Andrew Bartlett for suggesting it) and it worked. $ net rpc user add foobar -S pdcname -Uadmin%adminpassword Two things left: password and (as I discovered later) userAccountControl. `net rpc password' did not work, `net ads password' did (go figure). $ net ads password foobar secret -S pdcname -Uadminname%adminpassword Also doing that with ldapmodify works: $ cat >changepwd.ldif dn: CN=foobar,CN=Users,DC=yoursite,DC=com changetype: modify replace: unicodePwd $ cleartext2unicodepwd secret >>changepwd.ldif $ cat changepwd.ldif dn: CN=foobar,CN=Users,DC=yoursite,DC=com changetype: modify replace: unicodePwd unicodePwd::IgBzAGUAYwByAGUAdAAiAA== $ kinit adminname Password for [EMAIL PROTECTED]: $ ldapmodify -H ldap://activedirectory.site.com -D \ cn=adminname,cn=users,dc=site,dc=com -f changepwd.ldif `kinit adminname' was necessary because otherwise AD won't let set password over an unencrypted channel. Another option is LDAP over SSL, if you can get it to work (we couldn't). For the cleartext2unicodepwd script, see below. Last thing, userAccountControl. This attribute is a mask with the following possible values: ADS_UF_ACCOUNTDISABLE = 0x0002 Disable user account ADS_UF_PASSWD_NOTREQD = 0x0020 No password is required ADS_UF_NORMAL_ACCOUNT = 0x0200 Typical user account The previously created user got a value of `546' (i.e. 0x0222). I set it to `512' (0x0200): $ cat >uac.ldif dn: CN=foobar,CN=Users,DC=yoursite,DC=com changetype: modify replace: userAccountControl userAccountControl: 512 ...ldapmodify as above. Done. Last thing to understand will be why users created with Windows tools get a userAccountControl value of 66048, but things work nicely already. This is the `cleartext2unicodepwd' script: #!/usr/bin/env ruby require "base64" def cleartext2unicode(cleartextpwd) quotepwd = '"' + cleartextpwd + '"' unicodepwd = quotepwd.split('').join("\0") + "\0" return Base64.encode64(unicodepwd) end if ARGV.length == 1 cleartextpwd = ARGV.shift puts "unicodePwd::" + cleartext2unicode(cleartextpwd) end Cheers Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba