[Samba] Obtaining password hash from kerberos ?

[Denis Cardon]

Hi Guy,

> I'm trying to merge the LDAP tree of two servers together so that I can
> perform authentication from a web service on the third server to this
> tree. The problem I have is that the passwords (or, more precisely, the
> passwords hash) is not stored in LDAP but rather via kerberos.

why do you think that kerberos hashes are not stored in the ldap tree? Take a look at https://msdn.microsoft.com/en-us/library/ms679920%28v=vs.85%29.aspx and https://msdn.microsoft.com/en-us/library/cc245499.aspx

> Is it possible to get a copy of the passwords hash to do the
> authentication on the web service myself ?

I am not very sure what you want to do. If you want to reset password of one samba4 domain using the password hash of another samba4 domain in order to merge them, you may try the patch of Alberto Maria Fiaschi (look on the interweb for pdbedit_ntHash.patch). If there is a sense for you to have two ADs, and your web application cannot handle two authentication sources, then you may try to install a openldap with referal in order to configure only one ldap on your web applications. If you are doing kerberos auth, you may also try the inter realm trust of samba4.3 if the lack of sid filtering is not an issue for you.

> I'm not sure this post belongs on samba's list, but since everything is
> a little 'obscured' by samba, I thought that I could get help here.

Samba, or AD actually, does not make things obscured, it makes them simple to use. But subjacent technologies are not simple per se.

Cheers,

Denis

> 
> Thank you!
> 
> Guy-Laurent Subri
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba