Windows: 2003 R2 with the installed unix attributes!!!

I am trying to popluate a Microsoft Windows 2003 R2 AD, with a list of usernames & passwords. I can successfully add, modify and delete users from AD with no problem what so ever. However I just don't seem able to set a known password login to the linux server (RHEL) and change it.


# /usr/sbin/slappasswd -u
New password: Letmein1
Re-enter new password: Letmein1
{SSHA}f4LMauMbl12eFdzO9yBkpOaA5DmxdFvD

# cat modify.ldif
dn: CN=adtest4,OU=K9,OU=Users,OU=UK,DC=eur,DC=zxy,DC=corp
changetype: modify
replace: unixUserPassword
unixUserPassword: f4LMauMbl12eFdzO9yBkpOaA5DmxdFvD
pwdLastSet: 0

# ldapadd -x -h adserver -D svc_users -w secrect -f modify.ldif
modifying entry "CN=adtest4,OU=K9,OU=Users,OU=UK,DC=eur,DC=zxy,DC=corp"

# telnet red1

login: adtest4
Password: Letmein1
Login incorrect <<

# tail /var/log/secure
Oct 28 11:19:45 red1 login: pam_krb5[4922]: keytab: FILE:/etc/krb5.keytab
Oct 28 11:19:45 red1 login: pam_krb5[4922]: called to authenticate 'adtest4', realm 'EUR.ZXY.CORP'
Oct 28 11:19:45 red1 login: pam_krb5[4922]: authenticating 'adtest4@EUR.ZXY.CORP'
Oct 28 11:19:45 red1 login: pam_krb5[4922]: trying previously-entered password for 'adtest4', allowing libkrb5 to prompt for more
Oct 28 11:19:45 red1 login: pam_krb5[4922]: authenticating 'adtest4@EUR.ZXY.CORP' to 'krbtgt/EUR.ZXY.CORP@EUR.ZXY.CORP'
Oct 28 11:19:45 red1 login: pam_krb5[4922]: attempting with password="Letmein1"
Oct 28 11:19:45 red1 login: pam_krb5[4922]: krb5_get_init_creds_password(krbtgt/EUR.XZY.CORP@EUR.ZXY.CORP) returned -1765328360 (Preauthentication failed)
Oct 28 11:19:45 red1 login: pam_krb5[4922]: got result -1765328360 (Preauthentication failed)
Oct 28 11:19:45 red1 login: pam_krb5[4922]: authentication fails for 'adtest4' (adtest4@EUR.ZXY.CORP): Authentication failure (Preauthentication failed)
Oct 28 11:19:45 red1 login: pam_krb5[4922]: pam_authenticate returning 7 (Authentication failure)

While researching the issue I find this way of doing it.

# perl -e 'print("userPassword: {CRYPT}".crypt("Letmein1","Letmein1-salt")."\n");'
userPassword: {CRYPT}LeZ.kKk3lKgX2

You can login ok but you don't appear to use AD and the getent command displays the hashed password.

# getent passwd adtest1
ADTEST1:*:10015:100:adtest1:/home/login:/bin/sh <<ok

# getent passwd adtest4
adtest4:LeZ.kKk3lKgX2:11003:100:adtest4:/home/login:/bin/sh

Note the hash password value in the place of the *

Login (No ticket from AD)

login: adtest4
Password: Letmein1

# id
uid=11003(adtest4) gid=100(users) groups=100(users)

# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_p10160)

Kerberos 4 ticket cache: /tmp/tkt11003
klist: You have no tickets cached

What I am doing wrong?