[Samba] OpenLDAP Samba4 Password Sync

Denis Witt denis.witt at concepts-and-training.de
Wed Mar 6 12:54:15 MST 2013

Am 05.03.2013 um 17:09 schrieb TAKAHASHI Motonobu <monyo at monyo.com>:

>> we currently evaluate Samba4. We've learned so far that we have to use
>> our OpenLDAP-Server for some tools beside Samba4. So we wrote a script
>> that creates Samba4-AD Users when we add them to OpenLDAP. The problem
>> is that we need to sync the passwords when an user changes it within
>> Windows. How can we get the Password Hash from Samba4-AD and is there a
>> way to write it (in case the OpenLDAP password changes).
> Does this articles help you?
>  https://lists.samba.org/archive/samba/2013-March/171956.html  

> As far as I read, this python script can export the Hash.

Hi Takahashi,

thanks for your reply. The Tool-Website states:

> Reads from your Samba4 AD and updates changes password to Google Apps in SHA1 format. Note that this solution requires you to run:
> samba-tool domain passwordsettings set --store-plaintext=on
> Also you will have to use "Store passwords using reversible encryption" for each users. This can be enabled with MS Active Directory snap in tool from Windows.

Doesn't sound like a thing you want to do, but seems to be the only way at the moment.

At least the sync from OpenLDAP to AD must be possible without those restrictions as samba-tools can transfer the password settings when you do the classic upgrade. So I might try to disallow the users to change their passwords with Windows, force them to change the OpenLDAP-Password-Entry and sync it back to AD (if this is possible when password change is disabled).

Best regards
Denis Witt

More information about the samba mailing list