[Samba] How to manage users with encrypted passwords

Allen Chen achen at harbourfrontcentre.com
Thu Jun 12 06:41:19 MDT 2014

On 6/12/2014 8:03 AM, Rowland Penny wrote:
> On 12/06/14 12:46, Benjamin Rocton wrote:
>> Thank you for your reply.
>> I read the wiki about classiqueupgrade (this is the same as 
>> samba3upgrade).
>> I have no problem to provision samba4 with classicupgrade. It works 
>> well and I get my users.
>> My problem is "after". how I create new users, how do I delete old 
>> users. I will not re-provision with "classicupgrade" every night for 
>> a Samba4 updated.
>> And I do not want this to be done manually on Samba4. There are too 
>> many changes.
>> In summary:
>> I have an LDAP repository (openldap) with a home regimen. It contains 
>> all the users and their encrypted passwords.
>> I want to regularly update Samba4 with the information contained in 
>> the LDAP.
>> I don't know if I'm clear. I don't speak English very well.
>> Benjamin
> I think that you are being very clear.
> Lets see if I get this correct:
> You have extracted all your users, groups and computers from your 
> openldap and by using 'classicupgrade', have inserted them into your 
> new samba4 AD DC.
> You still want to use your openldap machine AND the new samba4 AD dc, 
> why?????
> If the upgrade went correctly, turn off the openldap machine, you do 
> not need it anymore.
> Rowland
>> Le 12/06/2014 13:16, Rowland Penny a écrit :
>>> On 12/06/14 11:54, Benjamin Rocton wrote:
>>>> Hi,
>>>> I do not really understand your question. What is the difference?
>>> A great deal actually, samba4 can do anything that samba3 can do 
>>> PLUS it can be set up to be an Active Directory domain controller.
>>>> I thought samba4 was necessarily an emulation of an AD DC. This is 
>>>> not the case?
>>> Yes and no, see above response.
>>>> I installed two Samba4 DC for tests:
>>>> - One with the "samba-tool domain provision" (server role "dc" ldap 
>>>> internal).
>>>> - And another with "samba-tool domain samba3upgrade ..." to import 
>>>> the data from the current Samba3.
>>> Initially you only need one 'unprovisioned' samba4 AD DC and the 
>>> command to run is:
>>> samba-tool domain classicupgrade
>>> This should extract the info from your S3 PDC and provision S4.
>>> I would suggest that you go and read the samba wiki, specifically 
>>> this page:
>>>  https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29 
>>> I would also hope that you are doing this in a test situation i.e. 
>>> not in production.
>>>> The goal is to have a Samba4 AD DC.
>>>> I do not know if I answered the question. Sorry.
>>> Yes, you did, I hope my answers help you to get to your goal.
>>> Rowland
>>>> Benjamin
>>>> Le 12/06/2014 12:21, Rowland Penny a écrit :
>>>>> On 12/06/14 10:52, Benjamin Rocton wrote:
>>>>>> Hello,
>>>>>> I set up Samba4 to replace our Samba3. I am having problems to 
>>>>>> populate samba4 and automatically manage the lifecycle of users.
>>>>>> All of our users are already in an LDAP directory and I would 
>>>>>> like to create a connector for "synchronised" LDAP users to Samba4.
>>>>>> I thought to develop a script that would use Python libraries of 
>>>>>> Samba-tool.
>>>>>> I have a problem to manage passwords.
>>>>>> I can not have access to user passwords in clear text. But I can 
>>>>>> have it in any encrypted form.
>>>>>> Are there a solution to push a Hash password to Samba4? If yes, 
>>>>>> what kind of Hash?
>>>>>> In addition, where are stored the passwords in Samba4? Only in 
>>>>>> the LDAP? In kerberos? Elsewhere?
>>>>>> In what form?
>>>>>> I did not find any info on it.
>>>>>> Thank you for your help.
>>>>>> Regards,
>>>>>> Benjamin
>>>>> Hi, when you say 'I set up Samba4 to replace our Samba3.' just how 
>>>>> have you setup samba4 ? Have you used samba4 just like samba3 or 
>>>>> have you set up an AD DC ?
>>>>> Once you answer the above, I am sure that we can move on to help 
>>>>> you get to a working solution.
>>>>> Rowland
I am on the same boat. In a test environment, I upgraded S3 to S4 with 
"classicupgrade". it works fine.
Most information are imported to S4 internal LDAP. I said most 
information are imported, so I have to keep openldap up and running for 
other usage.
I can use a script made by myself to sync some of the attributes between 
openldap and S4 ldap.
My script calls samba-tool to handle S4 LDAP change, but I cannot change 
some attributes with samba-tool, like  primaryGroupID.
Also from my reading on the list, if I change it with "ldbedit", I may 
end up with a crashed internal DB if two AD DCs are deployed..
Right now, all of the users have the same primaryGroupID 513, I don't 
know if it's normal or not. I think I don't use this attribute. I use AD 
DC just for authentication.


More information about the samba mailing list