[Samba] Synchronising password of some AD users with an external LDAP?

Johan Johansson johan at capishe.se
Tue Feb 26 09:37:28 MST 2013

There is a way to sync passwords. It's not perfect but it works if you
can live with passwords stored as reversible encryption in samba4.

1. Allow clear text password by using samba-tools
2. Enable reversible encryption on each user (can be done with ms ad tool)
3. Make a query and use samba python lib to decode the attribute that
holds the password. I made a python script just for this that I use to
sync passwords to google apps.

The downside is that the passwords are in clear text but my network is
well secured so I'm fine with that. And the script has to run as a
daemon or in cron. But it works.

If you are interested I can share my script when I'm back at the office.

Skickat från min iPhone

26 feb 2013 kl. 17:30 skrev Gregory Sloop <gregs at sloop.net>:

>>> PLJJ> I know that if I were running a Windows AD, I could most likely
>>> PLJJ> accomplish what I want with--if nothing else--the 389 DS by using
>>> PLJJ> DS-provided Password Sync Service (see
>>> PLJJ> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html
>>> PLJJ> for more information).
>>> This is way over my head, in terms of expertise - but since the AD
>>> should function identically to the Windows AD setup, it may well work
>>> just fine, even though the back-end isn't a Windows AD box, but a
>>> Samba4 AD.
> PLJJ> Read the guide on the page that I linked. The said Password Sync Service
> PLJJ> is a Windows application. It installs a new password filtering DLL and a
> PLJJ> system service to a Windows DC.
> PLJJ> Samba, on the other hand, hardly runs on Windows. And even if it can be
> PLJJ> run (by compiling under Cygwin, perhaps?) it would be rather pointless.
> Sorry, I missed that - I did do a very cursory scan and didn't see
> anything Windows specific. Guess that's what happens when you scan a
> little too quickly/lightly.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list