[Samba] Provision new domain keeping users and passwords
abartlet at samba.org
Wed Mar 29 22:15:26 UTC 2017
On Wed, 2017-03-29 at 18:18 -0300, Jeanderson Soares wrote:
> 2017-03-29 16:42 GMT-03:00 Rowland Penny via samba <samba at lists.samba
> > On Thu, 30 Mar 2017 08:18:30 +1300
> > Andrew Bartlett <abartlet at samba.org> wrote:
> > > On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote:
> > > > The users password is stored in an hidden attribute which is
> > > > supposed to be unreadable, but you can read it on a Samba DC,
> > but
> > > > it is heavily
> > > > encoded. You may be able to obtain some of the users password
> > with
> > > > pdbedit, but can you get them all ?
> > >
> > > To be clear, by design pdbedit can obtain all the unicodePwd
> > values
> > > (the NT hash) for users in the domain. For clarity this is the
> > same
> > > underlying value as the sambaNTPassword in traditional 'Samba3'
> > > domains using LDAP.
> > >
> > > Andrew Bartlett
> > >
> > Yes, but will all the AD users be in the pdbedit database ?
> # pdbedit -L | wc -l
> # samba-tool user list | wc -l
> It's giving me more!
samba-tool user list omits machine and trust accounts, pdbedit shows
the whole set of accounts.
More information about the samba