[Samba] Provision new domain keeping users and passwords
Andrew Bartlett
abartlet at samba.org
Wed Mar 29 22:13:47 UTC 2017
On Wed, 2017-03-29 at 20:42 +0100, Rowland Penny wrote:
> On Thu, 30 Mar 2017 08:18:30 +1300
> Andrew Bartlett <abartlet at samba.org> wrote:
>
> > On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote:
> > > The users password is stored in an hidden attribute which is
> > > supposed to be unreadable, but you can read it on a Samba DC, but
> > > it is heavily
> > > encoded. You may be able to obtain some of the users password
> > > with
> > > pdbedit, but can you get them all ?
> >
> > To be clear, by design pdbedit can obtain all the unicodePwd values
> > (the NT hash) for users in the domain. For clarity this is the
> > same
> > underlying value as the sambaNTPassword in traditional 'Samba3'
> > domains using LDAP.
> >
> > Andrew Bartlett
> >
>
> Yes, but will all the AD users be in the pdbedit database ?
Yes, pdbedit on an AD DC is a full view of the sam.ldb database.
Andrew Bartlett
More information about the samba
mailing list