simple password sync method

Andrew Bartlett abartlet at
Tue May 4 15:44:18 UTC 2021

On Tue, 2021-05-04 at 15:39 +0800, d tbsky via samba-technical wrote:
>     I wonder if the old simple method can co-exist with the current
> one. maybe just a config like "password sync script = xxxx" and let
> samba trigger it when password change? although with clear password
> you can sync it to new service at any time, but old simple method
> doesn't need any infrastructure change and doesn't need to store the
> private encryption key.

If you know the target password type (eg crypt()) then we can store
some such passwords without the need for the GPG key, and run the sync
from there.

eg set "password hash userPassword schemes = CryptSHA512"

We won't be adding the 'samba3' style password sync to the AD DC, due
to locking requirements.  At the point where we can process a password
sync, we have to lock the DB against all other changes, and it would
risk service to all other users to start making calls at this point.

Of course Samba remains Free Software and you may make whatever changes
you desire for your private use, but this is our feeling regarding what
we will allow upstream.

Andrew Bartlett

Andrew Bartlett (he/him)
Samba Team Member (since 2001)
Samba Team Lead, Catalyst IT

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list