[Samba] Synchronising password of some AD users with an external LDAP?

Andrew Bartlett abartlet at samba.org
Tue Feb 26 14:34:43 MST 2013 

On Tue, 2013-02-26 at 18:16 +0200, Pekka L.J. Jalkanen wrote:
> True, webservers can authenticate against AD in a similar fashion to
> other LDAPs. But that's not the whole story.
> 
> The thing is that Samba 4 is designed from a ground up with AD in mind,
> and AD itself has been designed with workstation authentication and NT4
> client compatibility in mind. All this adds a lot of complexity to the
> system--and to the schema itself--that isn't in my opinion really
> benefical. Also, manually editing the AD schema, and especially removing
> objectclasses and/or attributes from the default schema, is generally
> regarded as a big no-no. If I'd have to do this with AD, I'd use AD LDS,
> but that isn't an option with Samba (which is perfectly understandable,
> as on Linux, unlike Windows, there are many alternatives).
> 
> However, after a lot of googling it appears that there should be a way
> to make OpenLDAP to accept simple binds both with and without kerberos
> backing, using SASL as an authentication vehicle:
> http://www.openldap.org/lists/openldap-software/201002/threads.html#00003
> 
> Perhaps I'll try that route.

So to avoid your perceived complexity of the Samba 4.0 AD DC, you
instead want to build a private and even more complex arrangement with
synchronisation between multiple directories?

Anyway, currently the only way to get a cleartext password out of Samba
4.0 as an AD DC is to permit storage of cleartext passwords in the
password policy and set it per-user.  Then a tool (not yet written)
could extract these from Samba.

However, I'm well aware of demand for better password handling,
particularly for users who need to sync with Google Docs (this comes up
quite often), so I'm planning (at some point) on adding a mode where we
expose somehow a more standard password hash, or provide a 'hook' that
sends cleartext passwords to some ongoing listener process (like the old
password sync scripts).  

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list