simple password sync method

d tbsky tbskyd at
Tue May 4 07:39:46 UTC 2021

    in old days when we are still using 2003/2008R2 as domain
controller, Microsoft provide a password sync service "Identity
Management for Unix". we just need to install the unix side tool
"ssod" then AD will give our script the "account/pass" when password
change. with a script we can do any kind of password sync.

    when we change our domain controller to samba, I assume that "unix
password sync = yes " would do the trick. but I waste my time to test
it and man page didn't say it won't work with domain controller at
that time.

    to solve the problem, I could only do ugly hack to samba source so
it will trigger a script when password change.

    now I understand if I save samba password as encrypted clear
password, then I can use some samba-tool command to get/sync the

    I wonder if the old simple method can co-exist with the current
one. maybe just a config like "password sync script = xxxx" and let
samba trigger it when password change? although with clear password
you can sync it to new service at any time, but old simple method
doesn't need any infrastructure change and doesn't need to store the
private encryption key.

More information about the samba-technical mailing list