[Samba] How to manage users with encrypted passwords

Thu Jun 12 07:13:40 MDT 2014

Hi,

Yes, but I do not have the passwords in clear text in the LDAP. I can 
only have the encrypted password. And it does not seem that we can use 
samba-tool with an encrypted password?

Benjamin

-- 
Benjamin Rocton
Université Pierre Mendès France

Le 12/06/2014 15:01, Stéphane PURNELLE a écrit :
> OK...
>
> One ldap server with some data
> One DC (samba 4) with auto creation/modify from ldap server.
>
> For me, just do a script (scheduled with crontab) read information 
> from ldap
> and use samba-tool for modify/create user
>
> but you need to extract passwd from ldap server for use it in your script
>
> regarsds
>
>         Stéphane Purnelle
>
> -----------------------------------
> Stéphane PURNELLE         Admin. Systèmes et Réseaux
> Service Informatique       Corman S.A.     Tel : 00 32 (0)87/342467
>
> samba-bounces at lists.samba.org wrote on 12/06/2014 14:55:14:
>
> > De : Benjamin Rocton <Benjamin.Rocton at upmf-grenoble.fr>
> > A : samba at lists.samba.org,
> > Date : 12/06/2014 14:55
> > Objet : Re: [Samba] How to manage users with encrypted passwords
> > Envoyé par : samba-bounces at lists.samba.org
> >
> > I have two LDAP:
> > One that contains all users and facts for the information system. Not
> > only information for DC. _It is not____specified____or controlled____by
> > me_, I only need to use the information it contains to create the right
> > users in my domain.
> > Another for samba3, with samba3 scheme. it will disappear when samba4
> > will be in production. Currently it is synchronized with the first LDAP
> > through LDAP scripts homemade.I would like to reproduce this behavior
> > with samba4.
> >
> >
> > Benjamin
> >
> > Le 12/06/2014 14:03, Rowland Penny a écrit :
> > > On 12/06/14 12:46, Benjamin Rocton wrote:
> > >> Thank you for your reply.
> > >>
> > >> I read the wiki about classiqueupgrade (this is the same as
> > >> samba3upgrade).
> > >> I have no problem to provision samba4 with classicupgrade. It works
> > >> well and I get my users.
> > >> My problem is "after". how I create new users, how do I delete old
> > >> users. I will not re-provision with "classicupgrade" every night for
> > >> a Samba4 updated.
> > >> And I do not want this to be done manually on Samba4. There are too
> > >> many changes.
> > >> In summary:
> > >> I have an LDAP repository (openldap) with a home regimen. It 
> contains
> > >> all the users and their encrypted passwords.
> > >> I want to regularly update Samba4 with the information contained in
> > >> the LDAP.
> > >>
> > >> I don't know if I'm clear. I don't speak English very well.
> > >>
> > >> Benjamin
> > >>
> > >
> > > I think that you are being very clear.
> > >
> > > Lets see if I get this correct:
> > >
> > > You have extracted all your users, groups and computers from your
> > > openldap and by using 'classicupgrade', have inserted them into your
> > > new samba4 AD DC.
> > >
> > > You still want to use your openldap machine AND the new samba4 AD dc,
> > > why?????
> > >
> > > If the upgrade went correctly, turn off the openldap machine, you do
> > > not need it anymore.
> > >
> > > Rowland
> > >>
> > >> Le 12/06/2014 13:16, Rowland Penny a écrit :
> > >>> On 12/06/14 11:54, Benjamin Rocton wrote:
> > >>>> Hi,
> > >>>>
> > >>>> I do not really understand your question. What is the difference?
> > >>> A great deal actually, samba4 can do anything that samba3 can do
> > >>> PLUS it can be set up to be an Active Directory domain controller.
> > >>>
> > >>>> I thought samba4 was necessarily an emulation of an AD DC. This is
> > >>>> not the case?
> > >>>
> > >>> Yes and no, see above response.
> > >>>
> > >>>>
> > >>>> I installed two Samba4 DC for tests:
> > >>>> - One with the "samba-tool domain provision" (server role "dc" 
> ldap
> > >>>> internal).
> > >>>> - And another with "samba-tool domain samba3upgrade ..." to import
> > >>>> the data from the current Samba3.
> > >>>>
> > >>>
> > >>> Initially you only need one 'unprovisioned' samba4 AD DC and the
> > >>> command to run is:
> > >>>
> > >>> samba-tool domain classicupgrade
> > >>>
> > >>> This should extract the info from your S3 PDC and provision S4.
> > >>>
> > >>> I would suggest that you go and read the samba wiki, specifically
> > >>> this page:
> > >>>
> > >>> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-
> > style_domain_to_AD%29
> > >>>
> > >>>
> > >>> I would also hope that you are doing this in a test situation i.e.
> > >>> not in production.
> > >>>
> > >>>> The goal is to have a Samba4 AD DC.
> > >>>>
> > >>>> I do not know if I answered the question. Sorry.
> > >>>
> > >>> Yes, you did, I hope my answers help you to get to your goal.
> > >>>
> > >>> Rowland
> > >>>>
> > >>>> Benjamin
> > >>>>
> > >>>> Le 12/06/2014 12:21, Rowland Penny a écrit :
> > >>>>> On 12/06/14 10:52, Benjamin Rocton wrote:
> > >>>>>> Hello,
> > >>>>>>
> > >>>>>> I set up Samba4 to replace our Samba3. I am having problems to
> > >>>>>> populate samba4 and automatically manage the lifecycle of users.
> > >>>>>> All of our users are already in an LDAP directory and I would
> > >>>>>> like to create a connector for "synchronised" LDAP users to 
> Samba4.
> > >>>>>> I thought to develop a script that would use Python libraries of
> > >>>>>> Samba-tool.
> > >>>>>>
> > >>>>>> I have a problem to manage passwords.
> > >>>>>> I can not have access to user passwords in clear text. But I can
> > >>>>>> have it in any encrypted form.
> > >>>>>> Are there a solution to push a Hash password to Samba4? If yes,
> > >>>>>> what kind of Hash?
> > >>>>>>
> > >>>>>> In addition, where are stored the passwords in Samba4? Only in
> > >>>>>> the LDAP? In kerberos? Elsewhere?
> > >>>>>> In what form?
> > >>>>>> I did not find any info on it.
> > >>>>>>
> > >>>>>> Thank you for your help.
> > >>>>>>
> > >>>>>> Regards,
> > >>>>>> Benjamin
> > >>>>>>
> > >>>>> Hi, when you say 'I set up Samba4 to replace our Samba3.' just 
> how
> > >>>>> have you setup samba4 ? Have you used samba4 just like samba3 or
> > >>>>> have you set up an AD DC ?
> > >>>>>
> > >>>>> Once you answer the above, I am sure that we can move on to help
> > >>>>> you get to a working solution.
> > >>>>>
> > >>>>> Rowland
> > >>>>
> > >>>
> > >>
> > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba