[Samba] Creating domain users in AD from Linux
Here are my findings. Keywords for Google and for those who, like me,
did not find useful references: create user domain ldap active
directory ad linux rpcclient net ads rpc account enable enabled login
bind.
Background: we're migrating users from AD to OpenLDAP; for a period
the two have to coexist, because AD authenticates logins, OpenLDAP
authenticates mail. My aim is to provide a single user
creation/password setting interface for both in the form of a CGI.
This rules out using Windows GUI tools.
The problem was creating a user from Linux. `net ads user add'
wouldn't work, then I tried `net rpc user add' (thanks to Andrew
Bartlett for suggesting it) and it worked.
$ net rpc user add foobar -S pdcname -Uadmin%adminpassword
Two things left: password and (as I discovered later)
userAccountControl.
`net rpc password' did not work, `net ads password' did (go figure).
$ net ads password foobar secret -S pdcname -Uadminname%adminpassword
Also doing that with ldapmodify works:
$ cat changepwd.ldif
dn: CN=foobar,CN=Users,DC=yoursite,DC=com
changetype: modify
replace: unicodePwd
$ cleartext2unicodepwd secret changepwd.ldif
$ cat changepwd.ldif
dn: CN=foobar,CN=Users,DC=yoursite,DC=com
changetype: modify
replace: unicodePwd
unicodePwd::IgBzAGUAYwByAGUAdAAiAA==
$ kinit adminname
Password for [EMAIL PROTECTED]:
$ ldapmodify -H ldap://activedirectory.site.com -D \
cn=adminname,cn=users,dc=site,dc=com -f changepwd.ldif
`kinit adminname' was necessary because otherwise AD won't let set
password over an unencrypted channel. Another option is LDAP over
SSL, if you can get it to work (we couldn't).
For the cleartext2unicodepwd script, see below.
Last thing, userAccountControl. This attribute is a mask with the
following possible values:
ADS_UF_ACCOUNTDISABLE = 0x0002Disable user account
ADS_UF_PASSWD_NOTREQD = 0x0020No password is required
ADS_UF_NORMAL_ACCOUNT = 0x0200Typical user account
The previously created user got a value of `546' (i.e. 0x0222). I set
it to `512' (0x0200):
$ cat uac.ldif
dn: CN=foobar,CN=Users,DC=yoursite,DC=com
changetype: modify
replace: userAccountControl
userAccountControl: 512
...ldapmodify as above.
Done. Last thing to understand will be why users created with Windows
tools get a userAccountControl value of 66048, but things work nicely
already.
This is the `cleartext2unicodepwd' script:
#!/usr/bin/env ruby
require base64
def cleartext2unicode(cleartextpwd)
quotepwd = '' + cleartextpwd + ''
unicodepwd = quotepwd.split('').join(\0) + \0
return Base64.encode64(unicodepwd)
end
if ARGV.length == 1
cleartextpwd = ARGV.shift
puts unicodePwd:: + cleartext2unicode(cleartextpwd)
end
Cheers
Massimiliano
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Setting AD password from Linux
I'm migrating an AD service over to OpenLDAP. There will be a transitional period where logins will still be served by AD, but address book/mail/etc. will be authenticated against OpenLDAP, so I'd like to provide the AD admins with a way of creating users in OpenLDAP and having the change replicated in AD (most likely a web interface). All goes well for putting user data in AD. Not as well for activating login for the user. I've tried the following ways: 1) creating an AD LDAP record that closely matched the existing ones, and setting the password via ldapmodify. User can't bind to AD nor to the DC via rpcclient. 2) creating a user via rpcclient's createdomuser. Problem: how should the password be set? I tried with net ads password, which reported success, but logging via rpcclient to DC with password failed while logging without succeeded. 3) I tried using net ads user add, getting only `Server unwilling to perform'. I suspect the problem lies in AD not creating the kerberos principal in neither of these cases; even after setting password through LDAP, when requesting a ticket, kinit's response is: kinit (v5): Clients credentials have been revoked while getting initial credentials. The password changing mechanism works for existing users created on AD. Or maybe the machine from where user creation requests originate must have joined the AD domain? (In which case: do smbd and/or nmbd have to run as well?) It is not show-stopping problem (I can always have the AD users to first create a user in AD, grab it with some script and copy it over to OpenLDAP, where attributes relevant to mail, groupware and such are added). I'd like to sort this out, though. Thanks for any insight. Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Profiles and automatic drive mappings
The 2000 machines also write a profile dirctory in that share, and copy the entire desktop contents to it each time the user logs off. For most of the users, this isn't a problem, but some users have a gig of video files on their desktop, and it writing all that crap to the sever is not necessary and slow. How do I make samba stop automatically mapping Z: as their home directory, and how do I make the profile writing to the server stop? Does this help you? [global] logon path = \\%N\profiles\%U logon home = \\%N\%U logon drive = Z: [profiles] path = /lan/samba/profile This way, profiles are kept in a different disk share than homes, and that share can be in a different partition altogether, where you can set quotas; users will be able to save their gig of video files in their home but will run out of space if they try to do it on their desktop. If you've found a better solution in the mean while, I'd be glad to hear it. :-) Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] obtaining domain sid
I've read on usenet about using `smbpasswd -S' from the latest 2_2 to get the MACHINE.SID of an existing PDC into the secrets.tdb of a soon-to-become BDC. I've also noticed `net setlocalsid SID' in alpha20. Is there any way to do the same on alpha18? (I'm staying with alpha18 for now because, for some reason, with alpha20 the PDC just vanishes from the domain.) Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] obtaining domain sid
On Sun, Oct 13, 2002 at 02:17:39PM +0200, Massimiliano Mirra wrote: (I'm staying with alpha18 for now because, for some reason, with alpha20 the PDC just vanishes from the domain.) I solved this, and in case someone else had the same problem, here's the fix: security = domain Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Same configs, different results
I am configuring two identical PDCs so that, if one goes down, the other can start to serve logins. The first PDC, a Debian 3.0 with Samba 2.999+3.0cvs20020723-1, works fine. The second PDC, that I bring up after killing manually smbd and nmbd on the first one, is a Red Hat 7.3 with Samba compiled from the same sources (but with gcc2.96 instead of 2.95) and the same smb.conf, except for the interfaces parameter. It serves logins to XP clients well. It does not with W2k. Both get account data from the same LDAP server. In log.smbd, after a failed login from a W2k host, I cannot find what goes wrong (the Domain Group warning appears when clients successfully log with the other PDC, too): [2002/10/11 16:58:55, 3] rpc_server/srv_pipe.c:api_pipe_request(1136) Doing \PIPE\NETLOGON [2002/10/11 16:58:55, 3] rpc_server/srv_pipe.c:api_rpcTNP(1168) api_rpcTNP: rpc command: NET_SAMLOGON [2002/10/11 16:58:55, 3] rpc_server/srv_netlog_nt.c:_net_sam_logon(547) SAM Logon (Interactive). Domain:[DEBIAN]. User:[foo@HAL9000] Requested Domain:[DEBIAN] [2002/10/11 16:58:55, 3] auth/auth.c:check_ntlm_password(190) check_password: Checking password for unmapped user [DEBIAN]\[foo]@[HAL9000] with the new password interface [2002/10/11 16:58:55, 3] auth/auth.c:check_ntlm_password(193) check_password: mapped user is: [DEBIAN]\[foo]@[HAL9000] [2002/10/11 16:58:55, 3] smbd/sec_ctx.c:push_sec_ctx(255) push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1 [2002/10/11 16:58:55, 3] smbd/uid.c:push_conn_ctx(278) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2002/10/11 16:58:55, 3] smbd/sec_ctx.c:set_sec_ctx(287) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2002/10/11 16:58:55, 2] passdb/pdb_ldap.c:ldapsam_open_connection(249) ldap_open_connection: connection opened [2002/10/11 16:58:55, 2] passdb/pdb_ldap.c:ldapsam_connect_system(326) ldap_connect_system: succesful connection to the LDAP server [2002/10/11 16:58:55, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(338) ldapsam_search_one_user: searching for:[((uid=foo)(objectclass=sambaAccount))] [2002/10/11 16:58:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(584) Entry found for user: foo [2002/10/11 16:58:55, 3] smbd/sec_ctx.c:pop_sec_ctx(394) pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0 [2002/10/11 16:58:55, 3] auth/auth.c:check_ntlm_password(222) check_password: sam authentication for user [foo] suceeded [2002/10/11 16:58:55, 3] smbd/sec_ctx.c:push_sec_ctx(255) push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1 [2002/10/11 16:58:55, 3] smbd/uid.c:push_conn_ctx(278) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2002/10/11 16:58:55, 3] smbd/sec_ctx.c:set_sec_ctx(287) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2002/10/11 16:58:55, 3] smbd/sec_ctx.c:pop_sec_ctx(394) pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0 [2002/10/11 16:58:55, 2] auth/auth.c:check_ntlm_password(261) check_password: authentication for user [foo] - [foo] - [foo] suceeded [2002/10/11 16:58:55, 0] rpc_server/srv_util.c:get_domain_user_groups(346) get_domain_user_groups: primary gid of user [foo] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that [2002/10/11 16:58:55, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(548) free_pipe_context: destroying talloc pool of size 4742 [2002/10/11 16:58:55, 3] smbd/pipes.c:reply_pipe_write_and_X(198) writeX-IPC pnum=74d7 nwritten=272 [2002/10/11 16:58:55, 3] smbd/process.c:process_smb(868) Transaction 33 of length 63 [2002/10/11 16:58:55, 3] smbd/process.c:switch_message(679) switch message SMBreadX (pid 6689) [2002/10/11 16:58:55, 3] smbd/pipes.c:reply_pipe_read_and_X(241) readX-IPC pnum=74d7 min=1024 max=1024 nread=524 The message on the W2k host says (translated): ``Access denied. Make sure username and password are correct...'' This is the smb.conf on both machines: [global] workgroup = DEBIAN server string = Debian Samba Server encrypt passwords = true interfaces = 192.168.65.222/24 domain logons = yes os level = 34 preferred master = yes local master = yes domain master = yes # providing fqdn of ldap server when using ssl is CRITICAL passdb backend = ldapsam:ldaps://my.ldap.server tdbsam log level = 3 # remove root from the following prior to adding a new machine invalid users = root daemon bin sys sync games man lp mail news uucp proxy postgres www-data backup operator list irc gnats identd sshd postfix dictd bard security = user browseable = no writeable = no guest ok = no use spnego = no ldap suffix = dc=rcost,dc=unisannio,dc=it ldap machine suffix = ou=Computers,dc=rcost,dc=unisannio,dc=it ldap user suffix = ou=Users,dc=rcost,dc=unisannio,dc=it ldap admin dn = cn=admin,dc=rcost,dc=unisannio,dc=it ldap ssl = yes #add user script =
[Samba] multiple alternative LDAP backends
I'm using Samba marked 2.999+3.0cvs20020723 from Debian `sid'. In smb.conf, I've got: passdb backend = ldapsam:ldaps://master.ldap.server ldapsam:ldaps://backup.ldap.server tdbsam All works fine when both ldap servers are up, or when at least the first is up. When the first is down, though, samba tries to connect to it, doesn't manage to, and gives up instead of trying the next one(s). This is the log output: Oct 10 14:31:23 newton smbd[13549]: [2002/10/10 14:31:23, 0] passdb/pdb_ldap.c:ldapsam_connect_system(322) Oct 10 14:31:23 newton smbd[13549]: Bind failed: Can't contact LDAP server Oct 10 14:31:23 newton smbd[13549]: [2002/10/10 14:31:23, 0] passdb/pdb_ldap.c:ldapsam_getsampwnam(1206) Oct 10 14:31:23 newton smbd[13549]: ldapsam_getsampwnam: init_sam_from_ldap failed! Is this by design? Can samba still be forced to try next backends if the current one can't be accessed? Massimiliano Mirra -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
