[Samba] How to manage users with encrypted passwords
Stéphane PURNELLE
stephane.purnelle at corman.be
Thu Jun 12 07:28:38 MDT 2014
How is the password in ldap ?
You can use in samba DC tools like ldbsearch and ldbmodify for password
part.
But this is dangerous (ldbmodify) and password must have the same
encryption.
Hope that you can do some tests before production
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
Benjamin Rocton <Benjamin.Rocton at upmf-grenoble.fr> wrote on 12/06/2014
15:13:40:
> De : Benjamin Rocton <Benjamin.Rocton at upmf-grenoble.fr>
> A : Stéphane PURNELLE <stephane.purnelle at corman.be>,
> Cc : samba at lists.samba.org
> Date : 12/06/2014 15:13
> Objet : Re: [Samba] How to manage users with encrypted passwords
>
> Hi,
>
> Yes, but I do not have the passwords in clear text in the LDAP. I
> can only have the encrypted password. And it does not seem that we
> can use samba-tool with an encrypted password?
>
> Benjamin
> --
> Benjamin Rocton
> Université Pierre Mendès France
> Le 12/06/2014 15:01, Stéphane PURNELLE a écrit :
> OK...
>
> One ldap server with some data
> One DC (samba 4) with auto creation/modify from ldap server.
>
> For me, just do a script (scheduled with crontab) read information from
ldap
> and use samba-tool for modify/create user
>
> but you need to extract passwd from ldap server for use it in your
script
>
> regarsds
>
> Stéphane Purnelle
>
> -----------------------------------
> Stéphane PURNELLE Admin. Systèmes et Réseaux
> Service Informatique Corman S.A. Tel : 00 32
(0)87/342467
>
> samba-bounces at lists.samba.org wrote on 12/06/2014 14:55:14:
>
> > De : Benjamin Rocton <Benjamin.Rocton at upmf-grenoble.fr>
> > A : samba at lists.samba.org,
> > Date : 12/06/2014 14:55
> > Objet : Re: [Samba] How to manage users with encrypted passwords
> > Envoyé par : samba-bounces at lists.samba.org
> >
> > I have two LDAP:
> > One that contains all users and facts for the information system. Not
> > only information for DC. _It is not____specified____or
controlled____by
> > me_, I only need to use the information it contains to create the
right
> > users in my domain.
> > Another for samba3, with samba3 scheme. it will disappear when samba4
> > will be in production. Currently it is synchronized with the first
LDAP
> > through LDAP scripts homemade.I would like to reproduce this behavior
> > with samba4.
> >
> >
> > Benjamin
> >
> > Le 12/06/2014 14:03, Rowland Penny a écrit :
> > > On 12/06/14 12:46, Benjamin Rocton wrote:
> > >> Thank you for your reply.
> > >>
> > >> I read the wiki about classiqueupgrade (this is the same as
> > >> samba3upgrade).
> > >> I have no problem to provision samba4 with classicupgrade. It works
> > >> well and I get my users.
> > >> My problem is "after". how I create new users, how do I delete old
> > >> users. I will not re-provision with "classicupgrade" every night
for
> > >> a Samba4 updated.
> > >> And I do not want this to be done manually on Samba4. There are too
> > >> many changes.
> > >> In summary:
> > >> I have an LDAP repository (openldap) with a home regimen. It
contains
> > >> all the users and their encrypted passwords.
> > >> I want to regularly update Samba4 with the information contained in
> > >> the LDAP.
> > >>
> > >> I don't know if I'm clear. I don't speak English very well.
> > >>
> > >> Benjamin
> > >>
> > >
> > > I think that you are being very clear.
> > >
> > > Lets see if I get this correct:
> > >
> > > You have extracted all your users, groups and computers from your
> > > openldap and by using 'classicupgrade', have inserted them into your
> > > new samba4 AD DC.
> > >
> > > You still want to use your openldap machine AND the new samba4 AD
dc,
> > > why?????
> > >
> > > If the upgrade went correctly, turn off the openldap machine, you do
> > > not need it anymore.
> > >
> > > Rowland
> > >>
> > >> Le 12/06/2014 13:16, Rowland Penny a écrit :
> > >>> On 12/06/14 11:54, Benjamin Rocton wrote:
> > >>>> Hi,
> > >>>>
> > >>>> I do not really understand your question. What is the difference?
> > >>> A great deal actually, samba4 can do anything that samba3 can do
> > >>> PLUS it can be set up to be an Active Directory domain controller.
> > >>>
> > >>>> I thought samba4 was necessarily an emulation of an AD DC. This
is
> > >>>> not the case?
> > >>>
> > >>> Yes and no, see above response.
> > >>>
> > >>>>
> > >>>> I installed two Samba4 DC for tests:
> > >>>> - One with the "samba-tool domain provision" (server role "dc"
ldap
> > >>>> internal).
> > >>>> - And another with "samba-tool domain samba3upgrade ..." to
import
> > >>>> the data from the current Samba3.
> > >>>>
> > >>>
> > >>> Initially you only need one 'unprovisioned' samba4 AD DC and the
> > >>> command to run is:
> > >>>
> > >>> samba-tool domain classicupgrade
> > >>>
> > >>> This should extract the info from your S3 PDC and provision S4.
> > >>>
> > >>> I would suggest that you go and read the samba wiki, specifically
> > >>> this page:
> > >>>
> > >>> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-
> > style_domain_to_AD%29
> > >>>
> > >>>
> > >>> I would also hope that you are doing this in a test situation i.e.
> > >>> not in production.
> > >>>
> > >>>> The goal is to have a Samba4 AD DC.
> > >>>>
> > >>>> I do not know if I answered the question. Sorry.
> > >>>
> > >>> Yes, you did, I hope my answers help you to get to your goal.
> > >>>
> > >>> Rowland
> > >>>>
> > >>>> Benjamin
> > >>>>
> > >>>> Le 12/06/2014 12:21, Rowland Penny a écrit :
> > >>>>> On 12/06/14 10:52, Benjamin Rocton wrote:
> > >>>>>> Hello,
> > >>>>>>
> > >>>>>> I set up Samba4 to replace our Samba3. I am having problems to
> > >>>>>> populate samba4 and automatically manage the lifecycle of
users.
> > >>>>>> All of our users are already in an LDAP directory and I would
> > >>>>>> like to create a connector for "synchronised" LDAP users to
Samba4.
> > >>>>>> I thought to develop a script that would use Python libraries
of
> > >>>>>> Samba-tool.
> > >>>>>>
> > >>>>>> I have a problem to manage passwords.
> > >>>>>> I can not have access to user passwords in clear text. But I
can
> > >>>>>> have it in any encrypted form.
> > >>>>>> Are there a solution to push a Hash password to Samba4? If yes,
> > >>>>>> what kind of Hash?
> > >>>>>>
> > >>>>>> In addition, where are stored the passwords in Samba4? Only in
> > >>>>>> the LDAP? In kerberos? Elsewhere?
> > >>>>>> In what form?
> > >>>>>> I did not find any info on it.
> > >>>>>>
> > >>>>>> Thank you for your help.
> > >>>>>>
> > >>>>>> Regards,
> > >>>>>> Benjamin
> > >>>>>>
> > >>>>> Hi, when you say 'I set up Samba4 to replace our Samba3.' just
how
> > >>>>> have you setup samba4 ? Have you used samba4 just like samba3 or
> > >>>>> have you set up an AD DC ?
> > >>>>>
> > >>>>> Once you answer the above, I am sure that we can move on to help
> > >>>>> you get to a working solution.
> > >>>>>
> > >>>>> Rowland
> > >>>>
> > >>>
> > >>
> > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list