[Samba] Sync unixUserPassword from AD Password

Andrew Martin amartin at xes-inc.com
Tue Sep 16 12:35:22 MDT 2014


----- Original Message -----
> From: "Sven Schwedas" <sven.schwedas at tao.at>
> To: samba at lists.samba.org
> Sent: Tuesday, September 16, 2014 9:14:42 AM
> Subject: Re: [Samba] Sync unixUserPassword from AD Password
> 
> On 2014-09-16 16:10, Andrew Martin wrote:
> > ----- Original Message -----
> >> From: "Andrew Martin" <amartin at xes-inc.com>
> >> To: samba at lists.samba.org
> >> Sent: Thursday, September 11, 2014 11:53:29 AM
> >> Subject: [Samba] Sync unixUserPassword from AD Password
> >>
> >> Hello,
> >>
> >> I am running a Samba 4.1.6 AD DC on Ubuntu 14.04. I provisioned with
> >> --use-rfc2307 and have followed the instructions here to enable NIS
> >> Extensions:
> >> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Configuring_RFC2307_and_NIS_Extensions_in_a_Samba_AD
> >>
> >> I can see the UNIX Attributes tab in ADUC and have all of the attributes
> >> populated. I am attempting to authenticate a Solaris server to AD, however
> >> it
> >> must use the unixUserPassword field for authenticating the user's
> >> password.
> >> Currently, unixUserPassword is set to the default value -
> >> ABCD!efgh12345$67890.
> >> It seems that I need to install Identity Management For Unix in order to
> >> enable
> >> syncing of the AD user's password to the unixUserPassword field:
> >> http://blogs.technet.com/b/sfu/archive/2010/01/08/using-unixuserpassword-attribute-properly.aspx
> >>
> >> However, I cannot figure out how to install Identity Management for Unix
> >> since
> >> this is a Samba 4 DC. Is there a native way in Samba to update the hash in
> >> the
> >> unixUserPassword, or a script I could run via cron on the Samba 4 DC?
> > 
> > Or, does anyone know the hashing algorithm used to generate the
> > unixUserPassword
> > field? Can I manually run a command to populate this field?
> 
> What do you need that for, anyway? It's not used by any of the common
> authentication methods.

Sven,

I have a Solaris server that I am attempting to join to the domain, but the 
method it supports require this unixUserPassword field to be synced with the
user's actual password:
http://wiki.openindiana.org/oi/Active+Directory+Integration

The method I have to use is option 2 on that page (Kerberos + LDAP). For this
server, winbind is not an option. This blog post describes how Microsoft AD
handles populating this attribute, with this "Password Sync" component:
http://blogs.technet.com/b/sfu/archive/2010/01/08/using-unixuserpassword-attribute-properly.aspx

How can I populate this field with Samba4?

Thanks,

Andrew


More information about the samba mailing list