[PATCH] Ask for review. Set password from nt-hash .Useful to sync password from OpenLdap.
mathias dufresne
infractory at gmail.com
Wed Jul 22 15:06:35 UTC 2015
Hi all,
Just to say we also need something to be able to synchronize Samba4
(working as AD) passwords with others LDAP trees. For security reason (good
or not that's not the question, they're security guys, we can't fight them)
no clear password have to be used (until they change their point of
view...) and so using NT-Hash would greatly simplify this process.
Best regards,
mathias
2015-06-10 16:02 GMT+02:00 Alberto Maria Fiaschi <
alberto.fiaschi at estar.toscana.it>:
> I followed your suggestion. I modified pdbedit to set user passwords from
> nthash.
> I preferred to do it at the level of user modification because I need to
> filter users. (not all users need to synchronize passwords).
> I will send an email with patch to the list
>
> Alberto
>
> Il 04/06/2015 00:22, Andrew Bartlett ha scritto:
>
>> On Tue, 2015-05-26 at 11:22 +0200, Alberto Maria Fiaschi wrote:
>>
>>> My company need to sync password from Openldap to Samba4 AD.
>>> So I modified smbpasswd to set password from nt-hash value.
>>> (sambaNTPassword attribute in OpenLdap/Samba3 schema).
>>> Please review !
>>>
>> G'Day,
>>
>> Thanks for submitting the patch, and I'm sorry I didn't get back to you
>> sooner. As more and more sites do a migration to Samba4 of OpenLDAP
>> based domains, tools like this to handle the transition will become even
>> more critical, and I really appreciate you proposing this for the
>> all-important staged migration case.
>>
>> In terms of the patch, I understand your need, but I would really prefer
>> we didn't do this this particular way. We shouldn't be changing
>> smbpasswd as a tool in any case, it is old and just too crufty (we keep
>> it for backward compatibility). pdbedit, net or samba-tool are the
>> correct tools to modify.
>>
>> What I would like to see in this space is a modification of the
>> samba-tool domain classicupgrade tool (a --sync-passwords option, for
>> example), or similarly to the pdbedit -i -e mode. That would updates
>> passwords (potentially bi-directionally by switching the database order)
>> between the two domain databases based on the password last set time.
>>
>> The shortest route to what you want would seem to be a new switch to
>> pdbedit --sync-passwords-only, and to have that set
>>
>> In pdbedit.c, in that mode you would need to change export_database() to
>> call pdb_element_is_set_or_changed() on each password element, and then
>> call pdb_set_init_flags() if true. That should also be less intrusive
>> then your current patch.
>>
>> We would need a test, presumably as part of our existing classicupgrade
>> tests, and it would be good to make pdbedit -i -e work in the 'update
>> all elements' case as well (calling those for every element from
>> PDB_UNINIT+1 to PDB_COUNT-1), but that would just be a bonus, clearly
>> nobody uses that :-)
>>
>> I hope this provides some useful guidance, and thanks for your
>> contribution to Samba!
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
>>
> --
> /Alberto Maria Fiaschi/ <
> http://it.linkedin.com/pub/alberto-fiaschi/38/783/a5>
> /alberto.fiaschi at estar.toscana.it <mailto:alberto.fiaschi at estar.toscana.it
> >/
> ESTAR - Ente di Supporto Tecnico Amministrativo Regionale
> Infrastrutture Zona Centro
> /Azienda Ospedaliero Universitaria Pisana
> Presidio Ospedaliero Spedali Riuniti Santa Chiara/
> /Via Roma, 67 - 56126 Pisa, Italy/
> /Tel. +39 050 99 3117 /
> /Fax +39 050 99 3396/
> /profilo su http://it.linkedin.com/pub/alberto-fiaschi/ <
> http://it.linkedin.com/pub/alberto-fiaschi/38/783/a5>
>
More information about the samba-technical
mailing list