[Samba] External password sync, unix password sync / passwd program

Nick Semenkovich nick at semenkovich.com
Thu Oct 23 10:21:32 MDT 2014


Yeah -- this is why I was hoping the "unix password sync" flag would still
be supported.

It's easy to then set the "passwd program" to point to a wrapper that syncs
Google Apps passwords via their Directory API.


I may end up writing a self-service password manager to invoke both
Google's API and some version of "samba-tool user setpassword"

- Nick


On Thu, Oct 23, 2014 at 10:22 AM, Ryan Bair <ryandbair at gmail.com> wrote:

> GAPS will not work with a Samba4 DC in the domain. Samba4 doesn't have any
> real extendibility in this realm either.
>
> GAPS works by hooking the password change on the DC and then sending the
> SHA-1s of the new password to Google. Its important that it's installed on
> all DCs because a password change can occur against any writeable DC.
>
> There's another Windows DC solution around that abuses an unused field and
> stuffs the SHA-1 in there for sync with GADS. Also not applicable to Samba.
>
> The best approach I have seen is configuring Samba4 to store plaintext
> passwords and then sync SHA-1s to Google. For instance:
> https://github.com/baboons/samba4-gaps
>
> You could also send the plaintext directly to Google (with Google Apps
> Directory Sync), but that's even scarier IMO.
>
>
> On Thu, Oct 23, 2014 at 10:50 AM, Rowland Penny <
> rowlandpenny at googlemail.com
> > wrote:
>
> > On 22/10/14 17:09, Nick Semenkovich wrote:
> >
> >> Hi:
> >>
> >> I've been trying to set up external password sync to Google Apps -- and
> >> went so far as to write a script, before realizing "unix password sync"
> >> and
> >> "passwd program" etc., don't seem to be working in samba 4.2.0 rc2 in AD
> >> DC
> >> mode.
> >>
> >> I also stumbled on this prior list posting saying unix password sync
> >> doesn't work -- though the MAN pages suggest this is supported:
> >> https://lists.samba.org/archive/samba/2014-March/180271.html
> >>
> >>
> >> Are there any plans to support unix password sync while samba is an AD
> DC?
> >>
> >> Alternatively, is there a better way to intercept changed samba
> passwords
> >> for sync with other services?
> >>
> >>
> >> Thanks!
> >> Nick
> >>
> >>  Hi, you needed 'unix password sync' when you had separate unix users
> and
> > samba users, now when samba is run as an AD DC, there is only one user,
> the
> > domain user, so there is nothing to sync it with!
> >
> > I think what you are after is GAPS: https://support.google.com/a/
> > answer/2611859?hl=en
> >
> > This will sync your AD password to your google apps password, not sure if
> > it will work with samba4 AD, it should, but I have never tried it.
> >
> > Rowland
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Nick Semenkovich
Laboratory of Dr. Jeffrey I. Gordon
Medical Scientist Training Program
School of Medicine
Washington University in St. Louis
https://nick.semenkovich.com/


More information about the samba mailing list