[Samba] Need password for adduser script

Johannes Amorosa | Celluloid VFX johannesa at celluloid-vfx.com
Wed Aug 27 03:27:24 MDT 2014

On 08/26/2014 04:13 PM, Rowland Penny wrote:
> On 26/08/14 15:02, Johannes Amorosa | Celluloid VFX wrote:
>> Hi Rowland,
>> thank you for your time.
>> On 08/26/2014 03:39 PM, Rowland Penny wrote:
>>> On 26/08/14 11:00, Johannes Amorosa | Celluloid VFX wrote:
>>>> Hello List,
>>>> we like to add a newly generated user account that was created with 
>>>> the domain user tools, to another service on a separated machine, 
>>>> with the same credentials. Is there a simple way to retrieve the 
>>>> password like the username (%u) to hand the (cleartext-) password 
>>>> over to our adduser script?
>>> Yes, write it on a piece of paper when you create the user in ADUC. ;-)
>> We have a lot of freelancers here. When we create an account for them 
>> we don't want to add the same user and password by hand to every system.
> OK, I was only joking ;-), the problem is that the users password is 
> stored in AD as a (supposedly) one-way unicode password, so getting 
> the cleartext password is very very difficult (as in, it would be 
> easier to write the password down).
> I think that (providing that we are talking S4 AD and the other 
> machine is a linux machine) the easiest way, will be to create a 
> script to add the user to AD with samba-tool or ldbmodify & an ldif, 
> once this is done, the same script could 'ssh' into the other machine 
> and add the user there with the same username and password.
We wanted to reuse the windows gui tools for adding a new user to the 
domain. But if this is to complicated to get the password into the 
adduser script we will go your proposed route and script something with 
net rpc and samba-tool and replace the tools until we can shutdown the 
old domain.
Thank you for your time.

> Rowland
>>>> I know this is a hack, but we want to have a soft transformation 
>>>> until our AD service is stable.
>>> Wouldn't it be easier to make whatever service you have, work with AD ?
>> Sure. Once our AD is proven solid, we switch and then we can 
>> authenticate all services through the new system.
>> Until then we want to have two separated domains at the same time so 
>> we can have several weeks/month to make a soft switch until 
>> everything is production ready. This script would just keep the two 
>> domains "synced" without touching the production system.
>>> Rowland
>>>> Thank you
>>>> Joe

Johannes Amorosa | Celluloid VFX

More information about the samba mailing list