[Samba] Sync unixUserPassword from AD Password

Rowland Penny rowlandpenny at googlemail.com
Tue Sep 16 13:01:21 MDT 2014

On 16/09/14 19:35, Andrew Martin wrote:
> ----- Original Message -----
>> From: "Sven Schwedas" <sven.schwedas at tao.at>
>> To: samba at lists.samba.org
>> Sent: Tuesday, September 16, 2014 9:14:42 AM
>> Subject: Re: [Samba] Sync unixUserPassword from AD Password
>> On 2014-09-16 16:10, Andrew Martin wrote:
>>> ----- Original Message -----
>>>> From: "Andrew Martin" <amartin at xes-inc.com>
>>>> To: samba at lists.samba.org
>>>> Sent: Thursday, September 11, 2014 11:53:29 AM
>>>> Subject: [Samba] Sync unixUserPassword from AD Password
>>>> Hello,
>>>> I am running a Samba 4.1.6 AD DC on Ubuntu 14.04. I provisioned with
>>>> --use-rfc2307 and have followed the instructions here to enable NIS
>>>> Extensions:
>>>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Configuring_RFC2307_and_NIS_Extensions_in_a_Samba_AD
>>>> I can see the UNIX Attributes tab in ADUC and have all of the attributes
>>>> populated. I am attempting to authenticate a Solaris server to AD, however
>>>> it
>>>> must use the unixUserPassword field for authenticating the user's
>>>> password.
>>>> Currently, unixUserPassword is set to the default value -
>>>> ABCD!efgh12345$67890.
>>>> It seems that I need to install Identity Management For Unix in order to
>>>> enable
>>>> syncing of the AD user's password to the unixUserPassword field:
>>>> http://blogs.technet.com/b/sfu/archive/2010/01/08/using-unixuserpassword-attribute-properly.aspx
>>>> However, I cannot figure out how to install Identity Management for Unix
>>>> since
>>>> this is a Samba 4 DC. Is there a native way in Samba to update the hash in
>>>> the
>>>> unixUserPassword, or a script I could run via cron on the Samba 4 DC?
>>> Or, does anyone know the hashing algorithm used to generate the
>>> unixUserPassword
>>> field? Can I manually run a command to populate this field?
>> What do you need that for, anyway? It's not used by any of the common
>> authentication methods.
> Sven,
> I have a Solaris server that I am attempting to join to the domain, but the
> method it supports require this unixUserPassword field to be synced with the
> user's actual password:
> http://wiki.openindiana.org/oi/Active+Directory+Integration
> The method I have to use is option 2 on that page (Kerberos + LDAP). For this
> server, winbind is not an option. This blog post describes how Microsoft AD
> handles populating this attribute, with this "Password Sync" component:
> http://blogs.technet.com/b/sfu/archive/2010/01/08/using-unixuserpassword-attribute-properly.aspx
> How can I populate this field with Samba4?
You are going to have to write your own script around an ldif and use 
ldbmodify to add it to your users.


> Thanks,
> Andrew

More information about the samba mailing list