[Samba] samba-tool user syncpasswords / getpassword usage and clarifications

Denis Cardon dcardon at tranquil.it
Tue Oct 18 20:32:20 UTC 2016

Hi everyone, hi Metze,

looking through the mailing list, it seems that there hasn't been much 
talk about the interesting features offered by syncpassword / 
getpassword that came out with 4.5.0. I was hoping to use this feature 
to pipe a ssha1 and HA1 hashes into an external ldap.

Looking at the command line doc and then at the source code, it gets a 
bit more clear to me and I wanted to have some confirmation on that process.

It seems that the only added value in the supplementalCredential 
attribute is the GPG encrypted password value (Primary:SambaGPG).

And then the PDC running the syncpasswords daemon, which would have the 
gpg private key, monitors the ldap change.

When a supplementalCredentials attribute change event occurs, one can 
use getPassword command and the private key to get the clear text 
password or one of the proposed hash out of the GPG encrypted 
Primary:SambaGPG entry, and then pipe those hashes in external openldap 
or other authentication servers.

If this is the way it works, I was wondering if is there a reason why 
not directly storing the required hashes (ssha1, ssha256, etc.) into the 
supplementalCredentials attribute on the DC doing the password change?



Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0)

More information about the samba mailing list