[Samba] Changing active directory user password via LDAP

[Tadas]

Hello, lists.

I'm struggling to find out, how one can change password of an active
directory (based on samba4) user via LDAP.

The problem is that if I try to use userPassword parameter:

dn: CN=John Smith,cn=Users,DC=domain,DC=com
changetype: modify
replace: userPassword
userPassword: newPassword

ldapmodify -v -c -a -f filename.ldif -H ldaps://server.domain.com -D\
admini...@domain.com -W \
ldap_initialize( ldaps://server.domain.com:636/??base )

Enter LDAP Password:
replace userPassword:
newPassword
modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
modify complete

This seems to work, but does not affect user in any matter. As far as I
managed to find out, is that userPassword is not native Active Directory
attribute.
You must use unicodePwd attribute instead.
But then I get to another problem:


dn: CN=John Smith,cn=Users,DC=domain,DC=com
changetype: modify
replace: unicodePwd
unicodePwd: newPassword

ldapmodify -v -c -a -f filename.ldif -H\ ldaps://server.domain.com -D\
admini...@domain.com -W
ldap_initialize( ldaps://server.domain.com:636/??base )
Enter LDAP Password:
replace unicodePwd:
newPassword
modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com"
ldap_modify: Server is unwilling to perform (53)
additional info: 00002035: setup_io: it's not allowed to set the
NT hash password directly'

It seems, that samba4 does not allow to change this attribute directly.
So the question would be: is it possible to change AD user password via
LDAP, or this can only be done via samba tools and windows client?

Thank you.
--




--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Iñigo Martinez Lasala]

Try this:
https://code.google.com/p/ad-change-pass/

It worked for us.

----- Mensaje original -----
De: "Tadas" <ta...@ring.lt>
Para: sa...@lists.samba.org
Enviados: Miércoles, 30 de Abril 2014 13:33:46
Asunto: [Samba] Changing active directory user password via LDAP

[Tadas]

Hmm, you are right. This script works. Now I just have to reverse-engineer
it and find out, why my command-line does not work :)
Thank you for pointing this out.

[Andrew Bartlett]

unicodePwd has to be set as a UTF-16 string surrounded by a UTF-16
" (yes really!) value on each side.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

[Tadas]

Thanks everyone for a support.

Here's a working shell script:

#!/bin/bash
password=test
password='"'$password'"'
u16pass=`printf $password|iconv -f ascii -t UTF16LE|base64`
echo "dn: CN=John Smith,cn=Users,DC=domain,DC=com" >ldap.ldif
echo "changetype: modify" >>ldap.ldif
echo "replace: unicodePwd" >>ldap.ldif
echo "unicodePwd:: $u16pass" >>ldap.ldif
ldapmodify -v -c -a -f ldap.ldif -H ldaps://server.domain.com -D
admini...@domain.com -W
rm ldap.ldif
--



On Fri, 2014-05-02 at 05:53 +1000, Dewayne Geraghty wrote:
> I think its all here, in functions.php:
> $newPassword = "\"" . $newPassword . "\"";
> $len = strlen($newPassword);
> $newPassw = "";
> for ($i = 0; $i < $len; $i++) {
> $newPassw .= "{$newPassword{$i}}\000";
> }
> $newPassword = $newPassw;
> $userdata["unicodePwd"] = $newPassword;
> $result = ldap_mod_replace($ldap_connection, $userDn , $userdata);
> but how to do this in a sh script is a challenge. Please share if you
> can work it out, as I have the same need.
>
> Regards, Dewayne.
> Sydney, Australia.