[Samba] How to manage users with encrypted passwords

Rowland Penny rowlandpenny at googlemail.com
Thu Jun 12 07:49:28 MDT 2014

On 12/06/14 13:55, Benjamin Rocton wrote:
> I have two LDAP:
> One that contains all users and facts for the information system. Not 
> only information for DC. _It is not____specified____or 
> controlled____by me_, I only need to use the information it contains 
> to create the right users in my domain.
> Another for samba3, with samba3 scheme. it will disappear when samba4 
> will be in production. Currently it is synchronized with the first 
> LDAP through LDAP scripts homemade.I would like to reproduce this 
> behavior with samba4.

OK, you are extracting users and their associated info from one LDAP and 
using this to create users on another LDAP, which works for you.

You are now trying to upgrade to samba4 AD and having problems 
extracting clear text passwords from your first LDAP machine, I think 
that the only way that this is going to work is by actually 'cracking' 
the user passwords!!!

I think that in this instance, you need to forget using samba4 in AD 
mode and just set it up as your original S3 machine was.

I do not know how the passwords are stored on the LDAP you are trying to 
extract them from, it could be SSHA or similar, but AD stores them as 
unicode encrypted and they are, I believe, stored in 'write-only' 

> Benjamin
> Le 12/06/2014 14:03, Rowland Penny a écrit :
>> On 12/06/14 12:46, Benjamin Rocton wrote:
>>> Thank you for your reply.
>>> I read the wiki about classiqueupgrade (this is the same as 
>>> samba3upgrade).
>>> I have no problem to provision samba4 with classicupgrade. It works 
>>> well and I get my users.
>>> My problem is "after". how I create new users, how do I delete old 
>>> users. I will not re-provision with "classicupgrade" every night for 
>>> a Samba4 updated.
>>> And I do not want this to be done manually on Samba4. There are too 
>>> many changes.
>>> In summary:
>>> I have an LDAP repository (openldap) with a home regimen. It 
>>> contains all the users and their encrypted passwords.
>>> I want to regularly update Samba4 with the information contained in 
>>> the LDAP.
>>> I don't know if I'm clear. I don't speak English very well.
>>> Benjamin
>> I think that you are being very clear.
>> Lets see if I get this correct:
>> You have extracted all your users, groups and computers from your 
>> openldap and by using 'classicupgrade', have inserted them into your 
>> new samba4 AD DC.
>> You still want to use your openldap machine AND the new samba4 AD dc, 
>> why?????
>> If the upgrade went correctly, turn off the openldap machine, you do 
>> not need it anymore.
>> Rowland
>>> Le 12/06/2014 13:16, Rowland Penny a écrit :
>>>> On 12/06/14 11:54, Benjamin Rocton wrote:
>>>>> Hi,
>>>>> I do not really understand your question. What is the difference?
>>>> A great deal actually, samba4 can do anything that samba3 can do 
>>>> PLUS it can be set up to be an Active Directory domain controller.
>>>>> I thought samba4 was necessarily an emulation of an AD DC. This is 
>>>>> not the case?
>>>> Yes and no, see above response.
>>>>> I installed two Samba4 DC for tests:
>>>>> - One with the "samba-tool domain provision" (server role "dc" 
>>>>> ldap internal).
>>>>> - And another with "samba-tool domain samba3upgrade ..." to import 
>>>>> the data from the current Samba3.
>>>> Initially you only need one 'unprovisioned' samba4 AD DC and the 
>>>> command to run is:
>>>> samba-tool domain classicupgrade
>>>> This should extract the info from your S3 PDC and provision S4.
>>>> I would suggest that you go and read the samba wiki, specifically 
>>>> this page:
>>>>  https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29 
>>>> I would also hope that you are doing this in a test situation i.e. 
>>>> not in production.
>>>>> The goal is to have a Samba4 AD DC.
>>>>> I do not know if I answered the question. Sorry.
>>>> Yes, you did, I hope my answers help you to get to your goal.
>>>> Rowland
>>>>> Benjamin
>>>>> Le 12/06/2014 12:21, Rowland Penny a écrit :
>>>>>> On 12/06/14 10:52, Benjamin Rocton wrote:
>>>>>>> Hello,
>>>>>>> I set up Samba4 to replace our Samba3. I am having problems to 
>>>>>>> populate samba4 and automatically manage the lifecycle of users.
>>>>>>> All of our users are already in an LDAP directory and I would 
>>>>>>> like to create a connector for "synchronised" LDAP users to Samba4.
>>>>>>> I thought to develop a script that would use Python libraries of 
>>>>>>> Samba-tool.
>>>>>>> I have a problem to manage passwords.
>>>>>>> I can not have access to user passwords in clear text. But I can 
>>>>>>> have it in any encrypted form.
>>>>>>> Are there a solution to push a Hash password to Samba4? If yes, 
>>>>>>> what kind of Hash?
>>>>>>> In addition, where are stored the passwords in Samba4? Only in 
>>>>>>> the LDAP? In kerberos? Elsewhere?
>>>>>>> In what form?
>>>>>>> I did not find any info on it.
>>>>>>> Thank you for your help.
>>>>>>> Regards,
>>>>>>> Benjamin
>>>>>> Hi, when you say 'I set up Samba4 to replace our Samba3.' just 
>>>>>> how have you setup samba4 ? Have you used samba4 just like samba3 
>>>>>> or have you set up an AD DC ?
>>>>>> Once you answer the above, I am sure that we can move on to help 
>>>>>> you get to a working solution.
>>>>>> Rowland

More information about the samba mailing list