Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
linux.samba
Message from discussion sambar4: user creation with ldap and initial password

View parsed - Show only message text

Received: by 10.180.84.74 with SMTP id w10mr5404776wiy.4.1352364886302;
        Thu, 08 Nov 2012 00:54:46 -0800 (PST)
From: Michael Wood <esiot...@gmail.com>
Newsgroups: linux.samba
Subject: Re: [Samba] sambar4: user creation with ldap and initial password
Date: Mon, 05 Nov 2012 12:00:02 +0100
Message-ID: <k2szo-6I9-5@gated-at.bofh.it>
References: <k12nE-8jd-13@gated-at.bofh.it> <k2lHA-6N9-13@gated-at.bofh.it> <k2pia-2Np-9@gated-at.bofh.it> <k2pia-2Np-7@gated-at.bofh.it>
X-Original-To: Andrew Bartlett <abart...@samba.org>
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc:content-type;
	bh=bj/Y2riVfS5XlOPdtDheEehjZjwAn7ibKfTQrINacyA=;
	b=RBKR5AZa6qw5BUFh1IghDIJTdYn0DKgFs2AZYVlPqlaIu/YbmgiLIbRPj9mJdfMYcb
	00mAaza5sgFpj2+yadekHRM069eS2/LJ5NXakXQODqtqNeEca7PazVqax/CXtvf/F5a+
	BJPK6TlryIDzl7BQsVtIkQ42KwqbvOUrNsfMW/3ptkTyeB3+ZDQYf2ptT8tIJWnQ40oE
	BtaczHcb7PjWGlh+7q6wMSGcM4vEXkxU3a9JJzP3xypZwVlb0s1sqPtpU+a9CkecutJk
	OlHU/s7SOotTLPHsRb3MUqCje68Np4x/9FyaVtUrw8S1PkgeixqSn+T80VNNkljvhHav
	/DOA==
MIME-Version: 1.0
List-ID: General questions regarding Samba <samba.lists.samba.org>
List-Archive: <http://lists.samba.org/pipermail/samba>
Sender: robo...@news.nic.it
Approved: robo...@news.nic.it
Lines: 71
Organization: linux.* mail to news gateway
X-Original-Cc: sa...@lists.samba.org, Thomas Mueller <tho...@chaschperli.ch>
X-Original-Date: Mon, 5 Nov 2012 12:54:45 +0200
X-Original-Message-ID: <CAP6d-HXMkLdn7=WGhgrK-JONdK_b7HA8a64Gb9jNDn_6KfEpXg@mail.gmail.com>
X-Original-References: <k6tqql$hk...@ger.gmane.org> <1352086295.3801.72.camel@jesse>
	<5097682E.4020...@chaschperli.ch> <1352100523.3801.86.camel@jesse>
X-Original-Sender: samba-boun...@lists.samba.org
Path: q13ni188289wii.0!nntp.google.com!feeder1.cambriumusenet.nl!feed.tweaknews.nl!94.232.116.13.MISMATCH!feed.xsnews.nl!border-3.ams.xsnews.nl!xlned.com!feeder1.xlned.com!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!newspeer1.nac.net!border4.nntp.dca.giganews.com!border2.nntp.dca.giganews.com!border3.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!news.mccarragher.com!news.grnet.gr!de-l.enfer-du-nord.net!feeder2.enfer-du-nord.net!weretis.net!feeder4.news.weretis.net!news.mixmin.net!newsfeed.x-privat.org!bofh.it!news.nic.it!robomod
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On 5 November 2012 09:28, Andrew Bartlett <abart...@samba.org> wrote:
> On Mon, 2012-11-05 at 08:18 +0100, Thomas Mueller wrote:
>> Am 05.11.2012 04:31, schrieb Andrew Bartlett:
>> > On Thu, 2012-11-01 at 12:44 +0000, Thomas Mueller wrote:
>> >> hi
>> >>
>> >> trying to create a user with ldap from a remote server. The user is
>> >> created successfully. I'm failing setting the initial password.
>> >>
>> >> Setting the unicodePwd with kerberos administrator credentials with
>> >> ldbmodify and the ldif below results in "00002035: setup_io: it's not
>> >> allowed to set the NT hash password directly".
>> >>
>> >> searching the web I've found s4 mailinglist entries telling "do not set
>> >> unicodePwd with ldap".  this KB article tells in AD it's possible to set
>> >> it:  http://support.microsoft.com/kb/263991/en-us
>> >>
>> >> Is there a supported method to supply the initial user password with s4
>> >> and ldap?
>> >>
>> >> - Thomas
>> >>
>> >> LDIF:
>> >> dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
>> >> changetype: modify
>> >> replace: unicodePwd
>> >> unicodePwd:: $IlRlc3QxMjMtLSIK
>> > To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
>> i was using the following command to address this utf16-le requirement:
>>
>> echo \"PASSWORD\" | iconv -t UTF16LE | base64

I get "IgBQAEEAUwBTAFcATwBSAEQAIgAKAA==" from the above, which seems
OK to me, except that it has an extra "\n" on the end before encoding.

This works better:

$ echo -n \"PASSWORD\" | iconv -t UTF16LE | base64
IgBQAEEAUwBTAFcATwBSAEQAIgA=

Python gives me the same thing:

>>> '"PASSWORD"'.encode("utf-16le").encode("base64")
'IgBQAEEAUwBTAFcATwBSAEQAIgA=\n'

> Either way, the base64 string just doesn't look long enough for that.
>
> This seems closer:
> //4iAFQAZQBzAHQAMQAyADMALQAtACIA

Are you sure?  Yours includes a BOM, which I don't think is necessary:

>>> "//4iAFQAZQBzAHQAMQAyADMALQAtACIA".decode("base64").decode("utf-16le")
u'\ufeff"Test123--"'

>> > See however the userPassword, which is a normal, utf8 unquoted string
>> > (ie, sane :-)
>> Just tried it. Problems:
>>
>> 1) the userPassword attribute is plaintext readable with ldap afterwards
>> 2)  the kerberos password is not set ("kinit user" fails)
>
> You may not have the userPassword feature enabled.  It's odd that we let
> it stick in ldap however - can you confirm exactly what AD does here, so
> I can match it?

-- 
Michael Wood <esiot...@gmail.com>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google