[PATCH] Ask for review. Set password from nt-hash .Useful to sync password from OpenLdap.

Alberto Maria Fiaschi alberto.fiaschi at estar.toscana.it
Wed Jun 10 08:02:19 MDT 2015


I followed your suggestion. I modified pdbedit to set user passwords 
from nthash.
I preferred to do it at the level of user modification because I need to 
filter users. (not all users need to synchronize passwords).
I will send an email with patch to the list

Alberto

Il 04/06/2015 00:22, Andrew Bartlett ha scritto:
> On Tue, 2015-05-26 at 11:22 +0200, Alberto Maria Fiaschi wrote:
>> My company need to sync password from Openldap  to Samba4 AD.
>> So I modified smbpasswd to set password from nt-hash value.
>> (sambaNTPassword attribute in OpenLdap/Samba3 schema).
>> Please review !
> G'Day,
>
> Thanks for submitting the patch, and I'm sorry I didn't get back to you
> sooner.  As more and more sites do a migration to Samba4 of OpenLDAP
> based domains, tools like this to handle the transition will become even
> more critical, and I really appreciate you proposing this for the
> all-important staged migration case.
>
> In terms of the patch, I understand your need, but I would really prefer
> we didn't do this this particular way.  We shouldn't be changing
> smbpasswd as a tool in any case, it is old and just too crufty (we keep
> it for backward compatibility).  pdbedit, net or samba-tool are the
> correct tools to modify.
>
> What I would like to see in this space is a modification of the
> samba-tool domain classicupgrade tool (a --sync-passwords option, for
> example), or similarly to the pdbedit -i -e mode.  That would updates
> passwords (potentially bi-directionally by switching the database order)
> between the two domain databases based on the password last set time.
>
> The shortest route to what you want would seem to be a new switch to
> pdbedit --sync-passwords-only, and to have that set
>
> In pdbedit.c, in that mode you would need to change export_database() to
> call pdb_element_is_set_or_changed() on each password element, and then
> call pdb_set_init_flags() if true.  That should also be less intrusive
> then your current patch.
>
> We would need a test, presumably as part of our existing classicupgrade
> tests, and it would be good to make pdbedit -i -e work in the 'update
> all elements' case as well (calling those for every element from
> PDB_UNINIT+1 to PDB_COUNT-1), but that would just be a bonus, clearly
> nobody uses that :-)
>
> I hope this provides some useful guidance, and thanks for your
> contribution to Samba!
>
> Thanks,
>
> Andrew Bartlett
>

-- 
/Alberto Maria Fiaschi/ 
<http://it.linkedin.com/pub/alberto-fiaschi/38/783/a5>
/alberto.fiaschi at estar.toscana.it <mailto:alberto.fiaschi at estar.toscana.it>/
ESTAR - Ente di Supporto Tecnico Amministrativo Regionale
Infrastrutture Zona Centro
/Azienda Ospedaliero Universitaria Pisana
Presidio Ospedaliero Spedali Riuniti Santa Chiara/
/Via Roma, 67 - 56126 Pisa, Italy/
/Tel. +39 050 99 3117 /
/Fax +39 050 99 3396/
/profilo su http://it.linkedin.com/pub/alberto-fiaschi/ 
<http://it.linkedin.com/pub/alberto-fiaschi/38/783/a5>


More information about the samba-technical mailing list