LDAP Synchronization

Robert Colquhoun robert.colquhoun at gmail.com
Sat Jun 16 00:36:33 MDT 2012


I have been trying to migrate our current Samba3/Openldap system to
Samba 4 with AD...

As there are a lot of services running off ldap at the moment don't
think i can simply run samba3 migrate and switch off the ldap system.
Instead was planning to run both systems side by side for the moment
till can work through all the different applications.  To do this was
trying to construct a synchronization script that replicated data
between the 2 systems.  This is almost working but i am having
difficulty with passwords.

In the ldap system have userPassword(which the unix applications use)
and sambaNTPassword(which samba 3 and i think some other services like
L2TP and PPTP windows clients).  I have been trying to figure if it is
possible to get the 'sambaNTPassword' attribute to work with samba4,
the migrate script seems to do it somehow.  Or is samba 4 using
something different to hash with?

At the moment can only change the password if i have clear text.
Looking at the code it seems to do some kind of switch if the first
character is a " then assumes a plain text password follows otherwise
some kind of hash is assumed.

ie example test program to set and read back password:

#!/usr/bin/env python
import base64
import subprocess

sam_file = "/usr/local/samba/private/sam.ldb"
user_id = "Robert Colquhoun,CN=Users,DC=bleh,DC=example,DC=com,DC=au"
password = "\"Test16062012\""
cmd = """ldbmodify -H %s <<EOF
dn: CN=%s
changetype: modify
replace: unicodePwd
unicodePwd:: %s
""" % (sam_file, user_id, base64.b64encode((password).encode('utf-16-le')))
print cmd
subprocess.call(cmd, shell=True)
cmd = """ldbsearch -H %s \"(distinguishedName=CN=%s)\" unicodePwd""" %
(sam_file, user_id)
print cmd
subprocess.call(cmd, shell=True)

Running this results in:

# ./testchangepassword.py
ldbmodify -H /usr/local/samba/private/sam.ldb <<EOF
dn: CN=Robert Colquhoun,CN=Users,DC=bleh,DC=example,DC=com,DC=au
changetype: modify
replace: unicodePwd

Modified 1 records successfully
ldbsearch -H /usr/local/samba/private/sam.ldb
Colquhoun,CN=Users,DC=bleh,DC=example,DC=com,DC=au)" unicodePwd
# record 1
dn: CN=Robert Colquhoun,CN=Users,DC=bleh,DC=example,DC=com,DC=au
unicodePwd:: GTEj2JYN+k+kPSgieq+njw==

ie It has converted my plain text password input into something else,
what exactly? and is it compatible in any way with the previous
'sambaNTPassword' that samba3/ldap systems use?

Thank you in advance for any help with this.

- Robert

More information about the samba-technical mailing list