[Samba] How to manage users with encrypted passwords

Rowland Penny rowlandpenny at googlemail.com
Thu Jun 12 06:03:59 MDT 2014

On 12/06/14 12:46, Benjamin Rocton wrote:
> Thank you for your reply.
> I read the wiki about classiqueupgrade (this is the same as 
> samba3upgrade).
> I have no problem to provision samba4 with classicupgrade. It works 
> well and I get my users.
> My problem is "after". how I create new users, how do I delete old 
> users. I will not re-provision with "classicupgrade" every night for a 
> Samba4 updated.
> And I do not want this to be done manually on Samba4. There are too 
> many changes.
> In summary:
> I have an LDAP repository (openldap) with a home regimen. It contains 
> all the users and their encrypted passwords.
> I want to regularly update Samba4 with the information contained in 
> the LDAP.
> I don't know if I'm clear. I don't speak English very well.
> Benjamin

I think that you are being very clear.

Lets see if I get this correct:

You have extracted all your users, groups and computers from your 
openldap and by using 'classicupgrade', have inserted them into your new 
samba4 AD DC.

You still want to use your openldap machine AND the new samba4 AD dc, 

If the upgrade went correctly, turn off the openldap machine, you do not 
need it anymore.

> Le 12/06/2014 13:16, Rowland Penny a écrit :
>> On 12/06/14 11:54, Benjamin Rocton wrote:
>>> Hi,
>>> I do not really understand your question. What is the difference?
>> A great deal actually, samba4 can do anything that samba3 can do PLUS 
>> it can be set up to be an Active Directory domain controller.
>>> I thought samba4 was necessarily an emulation of an AD DC. This is 
>>> not the case?
>> Yes and no, see above response.
>>> I installed two Samba4 DC for tests:
>>> - One with the "samba-tool domain provision" (server role "dc" ldap 
>>> internal).
>>> - And another with "samba-tool domain samba3upgrade ..." to import 
>>> the data from the current Samba3.
>> Initially you only need one 'unprovisioned' samba4 AD DC and the 
>> command to run is:
>> samba-tool domain classicupgrade
>> This should extract the info from your S3 PDC and provision S4.
>> I would suggest that you go and read the samba wiki, specifically 
>> this page:
>>  https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29 
>> I would also hope that you are doing this in a test situation i.e. 
>> not in production.
>>> The goal is to have a Samba4 AD DC.
>>> I do not know if I answered the question. Sorry.
>> Yes, you did, I hope my answers help you to get to your goal.
>> Rowland
>>> Benjamin
>>> Le 12/06/2014 12:21, Rowland Penny a écrit :
>>>> On 12/06/14 10:52, Benjamin Rocton wrote:
>>>>> Hello,
>>>>> I set up Samba4 to replace our Samba3. I am having problems to 
>>>>> populate samba4 and automatically manage the lifecycle of users.
>>>>> All of our users are already in an LDAP directory and I would like 
>>>>> to create a connector for "synchronised" LDAP users to Samba4.
>>>>> I thought to develop a script that would use Python libraries of 
>>>>> Samba-tool.
>>>>> I have a problem to manage passwords.
>>>>> I can not have access to user passwords in clear text. But I can 
>>>>> have it in any encrypted form.
>>>>> Are there a solution to push a Hash password to Samba4? If yes, 
>>>>> what kind of Hash?
>>>>> In addition, where are stored the passwords in Samba4? Only in the 
>>>>> LDAP? In kerberos? Elsewhere?
>>>>> In what form?
>>>>> I did not find any info on it.
>>>>> Thank you for your help.
>>>>> Regards,
>>>>> Benjamin
>>>> Hi, when you say 'I set up Samba4 to replace our Samba3.' just how 
>>>> have you setup samba4 ? Have you used samba4 just like samba3 or 
>>>> have you set up an AD DC ?
>>>> Once you answer the above, I am sure that we can move on to help 
>>>> you get to a working solution.
>>>> Rowland

More information about the samba mailing list