[Samba] How to manage users with encrypted passwords

Thu Jun 12 07:01:39 MDT 2014

OK...

One ldap server with some data
One DC (samba 4) with auto creation/modify from ldap server.

For me, just do a script (scheduled with crontab) read information from 
ldap
and use samba-tool for modify/create user

but you need to extract passwd from ldap server for use it in your script

regarsds

        Stéphane Purnelle

-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 12/06/2014 14:55:14:

> De : Benjamin Rocton <Benjamin.Rocton at upmf-grenoble.fr>
> A : samba at lists.samba.org, 
> Date : 12/06/2014 14:55
> Objet : Re: [Samba] How to manage users with encrypted passwords
> Envoyé par : samba-bounces at lists.samba.org
> 
> I have two LDAP:
> One that contains all users and facts for the information system. Not 
> only information for DC. _It is not____specified____or controlled____by 
> me_, I only need to use the information it contains to create the right 
> users in my domain.
> Another for samba3, with samba3 scheme. it will disappear when samba4 
> will be in production. Currently it is synchronized with the first LDAP 
> through LDAP scripts homemade.I would like to reproduce this behavior 
> with samba4.
> 
> 
> Benjamin
> 
> Le 12/06/2014 14:03, Rowland Penny a écrit :
> > On 12/06/14 12:46, Benjamin Rocton wrote:
> >> Thank you for your reply.
> >>
> >> I read the wiki about classiqueupgrade (this is the same as 
> >> samba3upgrade).
> >> I have no problem to provision samba4 with classicupgrade. It works 
> >> well and I get my users.
> >> My problem is "after". how I create new users, how do I delete old 
> >> users. I will not re-provision with "classicupgrade" every night for 
> >> a Samba4 updated.
> >> And I do not want this to be done manually on Samba4. There are too 
> >> many changes.
> >> In summary:
> >> I have an LDAP repository (openldap) with a home regimen. It contains 

> >> all the users and their encrypted passwords.
> >> I want to regularly update Samba4 with the information contained in 
> >> the LDAP.
> >>
> >> I don't know if I'm clear. I don't speak English very well.
> >>
> >> Benjamin
> >>
> >
> > I think that you are being very clear.
> >
> > Lets see if I get this correct:
> >
> > You have extracted all your users, groups and computers from your 
> > openldap and by using 'classicupgrade', have inserted them into your 
> > new samba4 AD DC.
> >
> > You still want to use your openldap machine AND the new samba4 AD dc, 
> > why?????
> >
> > If the upgrade went correctly, turn off the openldap machine, you do 
> > not need it anymore.
> >
> > Rowland
> >>
> >> Le 12/06/2014 13:16, Rowland Penny a écrit :
> >>> On 12/06/14 11:54, Benjamin Rocton wrote:
> >>>> Hi,
> >>>>
> >>>> I do not really understand your question. What is the difference?
> >>> A great deal actually, samba4 can do anything that samba3 can do 
> >>> PLUS it can be set up to be an Active Directory domain controller.
> >>>
> >>>> I thought samba4 was necessarily an emulation of an AD DC. This is 
> >>>> not the case?
> >>>
> >>> Yes and no, see above response.
> >>>
> >>>>
> >>>> I installed two Samba4 DC for tests:
> >>>> - One with the "samba-tool domain provision" (server role "dc" ldap 

> >>>> internal).
> >>>> - And another with "samba-tool domain samba3upgrade ..." to import 
> >>>> the data from the current Samba3.
> >>>>
> >>>
> >>> Initially you only need one 'unprovisioned' samba4 AD DC and the 
> >>> command to run is:
> >>>
> >>> samba-tool domain classicupgrade
> >>>
> >>> This should extract the info from your S3 PDC and provision S4.
> >>>
> >>> I would suggest that you go and read the samba wiki, specifically 
> >>> this page:
> >>>
> >>>  https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-
> style_domain_to_AD%29 
> >>>
> >>>
> >>> I would also hope that you are doing this in a test situation i.e. 
> >>> not in production.
> >>>
> >>>> The goal is to have a Samba4 AD DC.
> >>>>
> >>>> I do not know if I answered the question. Sorry.
> >>>
> >>> Yes, you did, I hope my answers help you to get to your goal.
> >>>
> >>> Rowland
> >>>>
> >>>> Benjamin
> >>>>
> >>>> Le 12/06/2014 12:21, Rowland Penny a écrit :
> >>>>> On 12/06/14 10:52, Benjamin Rocton wrote:
> >>>>>> Hello,
> >>>>>>
> >>>>>> I set up Samba4 to replace our Samba3. I am having problems to 
> >>>>>> populate samba4 and automatically manage the lifecycle of users.
> >>>>>> All of our users are already in an LDAP directory and I would 
> >>>>>> like to create a connector for "synchronised" LDAP users to 
Samba4.
> >>>>>> I thought to develop a script that would use Python libraries of 
> >>>>>> Samba-tool.
> >>>>>>
> >>>>>> I have a problem to manage passwords.
> >>>>>> I can not have access to user passwords in clear text. But I can 
> >>>>>> have it in any encrypted form.
> >>>>>> Are there a solution to push a Hash password to Samba4? If yes, 
> >>>>>> what kind of Hash?
> >>>>>>
> >>>>>> In addition, where are stored the passwords in Samba4? Only in 
> >>>>>> the LDAP? In kerberos? Elsewhere?
> >>>>>> In what form?
> >>>>>> I did not find any info on it.
> >>>>>>
> >>>>>> Thank you for your help.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Benjamin
> >>>>>>
> >>>>> Hi, when you say 'I set up Samba4 to replace our Samba3.' just how 

> >>>>> have you setup samba4 ? Have you used samba4 just like samba3 or 
> >>>>> have you set up an AD DC ?
> >>>>>
> >>>>> Once you answer the above, I am sure that we can move on to help 
> >>>>> you get to a working solution.
> >>>>>
> >>>>> Rowland
> >>>>
> >>>
> >>
> >
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba