[PATCH] Ask for review. Set password from nt-hash .Useful to sync password from OpenLdap.
Andrew Bartlett
abartlet at samba.org
Wed Jun 3 16:22:26 MDT 2015
On Tue, 2015-05-26 at 11:22 +0200, Alberto Maria Fiaschi wrote:
> My company need to sync password from Openldap to Samba4 AD.
> So I modified smbpasswd to set password from nt-hash value.
> (sambaNTPassword attribute in OpenLdap/Samba3 schema).
> Please review !
G'Day,
Thanks for submitting the patch, and I'm sorry I didn't get back to you
sooner. As more and more sites do a migration to Samba4 of OpenLDAP
based domains, tools like this to handle the transition will become even
more critical, and I really appreciate you proposing this for the
all-important staged migration case.
In terms of the patch, I understand your need, but I would really prefer
we didn't do this this particular way. We shouldn't be changing
smbpasswd as a tool in any case, it is old and just too crufty (we keep
it for backward compatibility). pdbedit, net or samba-tool are the
correct tools to modify.
What I would like to see in this space is a modification of the
samba-tool domain classicupgrade tool (a --sync-passwords option, for
example), or similarly to the pdbedit -i -e mode. That would updates
passwords (potentially bi-directionally by switching the database order)
between the two domain databases based on the password last set time.
The shortest route to what you want would seem to be a new switch to
pdbedit --sync-passwords-only, and to have that set
In pdbedit.c, in that mode you would need to change export_database() to
call pdb_element_is_set_or_changed() on each password element, and then
call pdb_set_init_flags() if true. That should also be less intrusive
then your current patch.
We would need a test, presumably as part of our existing classicupgrade
tests, and it would be good to make pdbedit -i -e work in the 'update
all elements' case as well (calling those for every element from
PDB_UNINIT+1 to PDB_COUNT-1), but that would just be a bonus, clearly
nobody uses that :-)
I hope this provides some useful guidance, and thanks for your
contribution to Samba!
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list