[Samba] Google Cloud Directory Service password synchronization for AD DC

Lapin Blanc fabien.toune at lapin-blanc.com
Thu Mar 22 19:58:41 UTC 2018

 I'm trying to have my Samba 4 AD DC users mapped and synchronized with
google apps for education accounts.
I would like to start from the native windows password update procedure to
eventually update the google apps password (actually, I think only some
types of hashes are stored).

Google actually provides a tool to synchronize user accounts and profiles
which works juste fine. This tools queries an LDAP directory, extracts
relevant informations and sync them with google apps.
It would also synchronize passwords if there were in the LDAP directory.
Actually, if I manually set a "userPassword" attribute for a user, using
MD5 hash for example, synchronization works just fine and the google apps
account gets updated.

Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal
LDAP server and also a default Heimdal implementation of Kerberos, also
included in Samba. Thus, the password (or it's hash) doesn't get stored in
the LDAP directory (correct me if I'm wrong).

I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP,
Samba and MIT
Kerberos passwords at the same time. (Then the password hash would end in
the directory, where I could synchronized from). But I guess I can't use it
for Samba's internal LDAP server.

I've also investigated on how and where and how Samba stores domain users
passwords, but I have difficulties to track the update procedure... Is
there somewhere I could "intercept" or "get" the password or a usable hash
from ? Sorry for my poor english, I'm basically speaking french, and hope
I've made myself clear...

Thank you

Fabien Toune

More information about the samba mailing list