[PATCH] Ask for review. Set password from nt-hash .Useful to sync password from OpenLdap.

Andrew Bartlett abartlet at samba.org
Wed Jun 3 16:22:26 MDT 2015

On Tue, 2015-05-26 at 11:22 +0200, Alberto Maria Fiaschi wrote:
> My company need to sync password from Openldap  to Samba4 AD.
> So I modified smbpasswd to set password from nt-hash value. 
> (sambaNTPassword attribute in OpenLdap/Samba3 schema).
> Please review !


Thanks for submitting the patch, and I'm sorry I didn't get back to you
sooner.  As more and more sites do a migration to Samba4 of OpenLDAP
based domains, tools like this to handle the transition will become even
more critical, and I really appreciate you proposing this for the
all-important staged migration case. 

In terms of the patch, I understand your need, but I would really prefer
we didn't do this this particular way.  We shouldn't be changing
smbpasswd as a tool in any case, it is old and just too crufty (we keep
it for backward compatibility).  pdbedit, net or samba-tool are the
correct tools to modify.

What I would like to see in this space is a modification of the
samba-tool domain classicupgrade tool (a --sync-passwords option, for
example), or similarly to the pdbedit -i -e mode.  That would updates
passwords (potentially bi-directionally by switching the database order)
between the two domain databases based on the password last set time. 

The shortest route to what you want would seem to be a new switch to
pdbedit --sync-passwords-only, and to have that set

In pdbedit.c, in that mode you would need to change export_database() to
call pdb_element_is_set_or_changed() on each password element, and then
call pdb_set_init_flags() if true.  That should also be less intrusive
then your current patch.

We would need a test, presumably as part of our existing classicupgrade
tests, and it would be good to make pdbedit -i -e work in the 'update
all elements' case as well (calling those for every element from
PDB_UNINIT+1 to PDB_COUNT-1), but that would just be a bonus, clearly
nobody uses that :-)

I hope this provides some useful guidance, and thanks for your
contribution to Samba!


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list