[Samba] Synchronising password of some AD users with an external LDAP?

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Thu Feb 28 04:34:56 MST 2013

On 26.2.2013 23:34, Andrew Bartlett wrote:
> On Tue, 2013-02-26 at 18:16 +0200, Pekka L.J. Jalkanen wrote:
>> True, webservers can authenticate against AD in a similar fashion to
>> other LDAPs. But that's not the whole story.
>> The thing is that Samba 4 is designed from a ground up with AD in mind,
>> and AD itself has been designed with workstation authentication and NT4
>> client compatibility in mind. All this adds a lot of complexity to the
>> system--and to the schema itself--that isn't in my opinion really
>> benefical. Also, manually editing the AD schema, and especially removing
>> objectclasses and/or attributes from the default schema, is generally
>> regarded as a big no-no. If I'd have to do this with AD, I'd use AD LDS,
>> but that isn't an option with Samba (which is perfectly understandable,
>> as on Linux, unlike Windows, there are many alternatives).
>> However, after a lot of googling it appears that there should be a way
>> to make OpenLDAP to accept simple binds both with and without kerberos
>> backing, using SASL as an authentication vehicle:
>> http://www.openldap.org/lists/openldap-software/201002/threads.html#00003
>> Perhaps I'll try that route.
> So to avoid your perceived complexity of the Samba 4.0 AD DC, you
> instead want to build a private and even more complex arrangement with
> synchronisation between multiple directories?

It may sound strange but this is really only about potentially enabling
30+ users to log to the LDAP using their AD passwords, while the total
amount of users in the LDAP could well end up being several hundreds if
not even thousands. But if it seems that this ends up being too complex,
then I'll simply scrap that plan and force two different passwords for
these users.

I do understand that in your opinion just putting up a Samba subdomain
would do, but while no longer in beta, Samba 4 still isn't all that
mature product, and should problems arise... well, I simply am not such
an expert with it as you very obviously are, so I'd rather err on the
safe side and risk having 30 users with minor authentication annoyances
than having 1,000 users that can't log in at all.

> Anyway, currently the only way to get a cleartext password out of Samba
> 4.0 as an AD DC is to permit storage of cleartext passwords in the
> password policy and set it per-user.  Then a tool (not yet written)
> could extract these from Samba.

Thanks! I don't really think that I'm willing to go down that route, but
it's still good to know what's actually possible and what isn't.

Pekka L.J. Jalkanen

More information about the samba mailing list