[Samba] How to manage users with encrypted passwords

Benjamin Rocton Benjamin.Rocton at upmf-grenoble.fr
Thu Jun 12 05:46:52 MDT 2014

Thank you for your reply.

I read the wiki about classiqueupgrade (this is the same as samba3upgrade).
I have no problem to provision samba4 with classicupgrade. It works well 
and I get my users.
My problem is "after". how I create new users, how do I delete old 
users. I will not re-provision with "classicupgrade" every night for a 
Samba4 updated.
And I do not want this to be done manually on Samba4. There are too many 
In summary:
I have an LDAP repository (openldap) with a home regimen. It contains 
all the users and their encrypted passwords.
I want to regularly update Samba4 with the information contained in the 

I don't know if I'm clear. I don't speak English very well.


Le 12/06/2014 13:16, Rowland Penny a écrit :
> On 12/06/14 11:54, Benjamin Rocton wrote:
>> Hi,
>> I do not really understand your question. What is the difference?
> A great deal actually, samba4 can do anything that samba3 can do PLUS 
> it can be set up to be an Active Directory domain controller.
>> I thought samba4 was necessarily an emulation of an AD DC. This is 
>> not the case?
> Yes and no, see above response.
>> I installed two Samba4 DC for tests:
>> - One with the "samba-tool domain provision" (server role "dc" ldap 
>> internal).
>> - And another with "samba-tool domain samba3upgrade ..." to import 
>> the data from the current Samba3.
> Initially you only need one 'unprovisioned' samba4 AD DC and the 
> command to run is:
> samba-tool domain classicupgrade
> This should extract the info from your S3 PDC and provision S4.
> I would suggest that you go and read the samba wiki, specifically this 
> page:
>  https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29 
> I would also hope that you are doing this in a test situation i.e. not 
> in production.
>> The goal is to have a Samba4 AD DC.
>> I do not know if I answered the question. Sorry.
> Yes, you did, I hope my answers help you to get to your goal.
> Rowland
>> Benjamin
>> Le 12/06/2014 12:21, Rowland Penny a écrit :
>>> On 12/06/14 10:52, Benjamin Rocton wrote:
>>>> Hello,
>>>> I set up Samba4 to replace our Samba3. I am having problems to 
>>>> populate samba4 and automatically manage the lifecycle of users.
>>>> All of our users are already in an LDAP directory and I would like 
>>>> to create a connector for "synchronised" LDAP users to Samba4.
>>>> I thought to develop a script that would use Python libraries of 
>>>> Samba-tool.
>>>> I have a problem to manage passwords.
>>>> I can not have access to user passwords in clear text. But I can 
>>>> have it in any encrypted form.
>>>> Are there a solution to push a Hash password to Samba4? If yes, 
>>>> what kind of Hash?
>>>> In addition, where are stored the passwords in Samba4? Only in the 
>>>> LDAP? In kerberos? Elsewhere?
>>>> In what form?
>>>> I did not find any info on it.
>>>> Thank you for your help.
>>>> Regards,
>>>> Benjamin
>>> Hi, when you say 'I set up Samba4 to replace our Samba3.' just how 
>>> have you setup samba4 ? Have you used samba4 just like samba3 or 
>>> have you set up an AD DC ?
>>> Once you answer the above, I am sure that we can move on to help you 
>>> get to a working solution.
>>> Rowland

More information about the samba mailing list