[Samba] External password sync, unix password sync / passwd program

Ryan Bair ryandbair at gmail.com
Thu Oct 23 09:22:29 MDT 2014

GAPS will not work with a Samba4 DC in the domain. Samba4 doesn't have any
real extendibility in this realm either.

GAPS works by hooking the password change on the DC and then sending the
SHA-1s of the new password to Google. Its important that it's installed on
all DCs because a password change can occur against any writeable DC.

There's another Windows DC solution around that abuses an unused field and
stuffs the SHA-1 in there for sync with GADS. Also not applicable to Samba.

The best approach I have seen is configuring Samba4 to store plaintext
passwords and then sync SHA-1s to Google. For instance:

You could also send the plaintext directly to Google (with Google Apps
Directory Sync), but that's even scarier IMO.

On Thu, Oct 23, 2014 at 10:50 AM, Rowland Penny <rowlandpenny at googlemail.com
> wrote:

> On 22/10/14 17:09, Nick Semenkovich wrote:
>> Hi:
>> I've been trying to set up external password sync to Google Apps -- and
>> went so far as to write a script, before realizing "unix password sync"
>> and
>> "passwd program" etc., don't seem to be working in samba 4.2.0 rc2 in AD
>> DC
>> mode.
>> I also stumbled on this prior list posting saying unix password sync
>> doesn't work -- though the MAN pages suggest this is supported:
>> https://lists.samba.org/archive/samba/2014-March/180271.html
>> Are there any plans to support unix password sync while samba is an AD DC?
>> Alternatively, is there a better way to intercept changed samba passwords
>> for sync with other services?
>> Thanks!
>> Nick
>>  Hi, you needed 'unix password sync' when you had separate unix users and
> samba users, now when samba is run as an AD DC, there is only one user, the
> domain user, so there is nothing to sync it with!
> I think what you are after is GAPS: https://support.google.com/a/
> answer/2611859?hl=en
> This will sync your AD password to your google apps password, not sure if
> it will work with samba4 AD, it should, but I have never tried it.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list