[Samba] How to manage users with encrypted passwords

Benjamin Rocton Benjamin.Rocton at upmf-grenoble.fr
Thu Jun 12 06:55:14 MDT 2014 

I have two LDAP:
One that contains all users and facts for the information system. Not 
only information for DC. _It is not____specified____or controlled____by 
me_, I only need to use the information it contains to create the right 
users in my domain.
Another for samba3, with samba3 scheme. it will disappear when samba4 
will be in production. Currently it is synchronized with the first LDAP 
through LDAP scripts homemade.I would like to reproduce this behavior 
with samba4.


Benjamin

Le 12/06/2014 14:03, Rowland Penny a écrit :
> On 12/06/14 12:46, Benjamin Rocton wrote:
>> Thank you for your reply.
>>
>> I read the wiki about classiqueupgrade (this is the same as 
>> samba3upgrade).
>> I have no problem to provision samba4 with classicupgrade. It works 
>> well and I get my users.
>> My problem is "after". how I create new users, how do I delete old 
>> users. I will not re-provision with "classicupgrade" every night for 
>> a Samba4 updated.
>> And I do not want this to be done manually on Samba4. There are too 
>> many changes.
>> In summary:
>> I have an LDAP repository (openldap) with a home regimen. It contains 
>> all the users and their encrypted passwords.
>> I want to regularly update Samba4 with the information contained in 
>> the LDAP.
>>
>> I don't know if I'm clear. I don't speak English very well.
>>
>> Benjamin
>>
>
> I think that you are being very clear.
>
> Lets see if I get this correct:
>
> You have extracted all your users, groups and computers from your 
> openldap and by using 'classicupgrade', have inserted them into your 
> new samba4 AD DC.
>
> You still want to use your openldap machine AND the new samba4 AD dc, 
> why?????
>
> If the upgrade went correctly, turn off the openldap machine, you do 
> not need it anymore.
>
> Rowland
>>
>> Le 12/06/2014 13:16, Rowland Penny a écrit :
>>> On 12/06/14 11:54, Benjamin Rocton wrote:
>>>> Hi,
>>>>
>>>> I do not really understand your question. What is the difference?
>>> A great deal actually, samba4 can do anything that samba3 can do 
>>> PLUS it can be set up to be an Active Directory domain controller.
>>>
>>>> I thought samba4 was necessarily an emulation of an AD DC. This is 
>>>> not the case?
>>>
>>> Yes and no, see above response.
>>>
>>>>
>>>> I installed two Samba4 DC for tests:
>>>> - One with the "samba-tool domain provision" (server role "dc" ldap 
>>>> internal).
>>>> - And another with "samba-tool domain samba3upgrade ..." to import 
>>>> the data from the current Samba3.
>>>>
>>>
>>> Initially you only need one 'unprovisioned' samba4 AD DC and the 
>>> command to run is:
>>>
>>> samba-tool domain classicupgrade
>>>
>>> This should extract the info from your S3 PDC and provision S4.
>>>
>>> I would suggest that you go and read the samba wiki, specifically 
>>> this page:
>>>
>>>  https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29 
>>>
>>>
>>> I would also hope that you are doing this in a test situation i.e. 
>>> not in production.
>>>
>>>> The goal is to have a Samba4 AD DC.
>>>>
>>>> I do not know if I answered the question. Sorry.
>>>
>>> Yes, you did, I hope my answers help you to get to your goal.
>>>
>>> Rowland
>>>>
>>>> Benjamin
>>>>
>>>> Le 12/06/2014 12:21, Rowland Penny a écrit :
>>>>> On 12/06/14 10:52, Benjamin Rocton wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I set up Samba4 to replace our Samba3. I am having problems to 
>>>>>> populate samba4 and automatically manage the lifecycle of users.
>>>>>> All of our users are already in an LDAP directory and I would 
>>>>>> like to create a connector for "synchronised" LDAP users to Samba4.
>>>>>> I thought to develop a script that would use Python libraries of 
>>>>>> Samba-tool.
>>>>>>
>>>>>> I have a problem to manage passwords.
>>>>>> I can not have access to user passwords in clear text. But I can 
>>>>>> have it in any encrypted form.
>>>>>> Are there a solution to push a Hash password to Samba4? If yes, 
>>>>>> what kind of Hash?
>>>>>>
>>>>>> In addition, where are stored the passwords in Samba4? Only in 
>>>>>> the LDAP? In kerberos? Elsewhere?
>>>>>> In what form?
>>>>>> I did not find any info on it.
>>>>>>
>>>>>> Thank you for your help.
>>>>>>
>>>>>> Regards,
>>>>>> Benjamin
>>>>>>
>>>>> Hi, when you say 'I set up Samba4 to replace our Samba3.' just how 
>>>>> have you setup samba4 ? Have you used samba4 just like samba3 or 
>>>>> have you set up an AD DC ?
>>>>>
>>>>> Once you answer the above, I am sure that we can move on to help 
>>>>> you get to a working solution.
>>>>>
>>>>> Rowland
>>>>
>>>
>>
>

More information about the samba mailing list