[Samba] Google Cloud Directory Service password synchronization for AD DC

Justin Foreman jforeman at dignitastechnologies.com
Thu Mar 22 20:05:44 UTC 2018


The way that we’ve accomplished this was to ensure that all users have the “Store passwords using reversible encryption” (which is not optimal) and use a utility called “samba4-gaps.”

samba-tool domain passwordsettings set --store-plaintext=on

Works perfectly.



> On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba <samba at lists.samba.org> wrote:
> I'm trying to have my Samba 4 AD DC users mapped and synchronized with
> google apps for education accounts.
> I would like to start from the native windows password update procedure to
> eventually update the google apps password (actually, I think only some
> types of hashes are stored).
> Google actually provides a tool to synchronize user accounts and profiles
> which works juste fine. This tools queries an LDAP directory, extracts
> relevant informations and sync them with google apps.
> It would also synchronize passwords if there were in the LDAP directory.
> Actually, if I manually set a "userPassword" attribute for a user, using
> MD5 hash for example, synchronization works just fine and the google apps
> account gets updated.
> Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal
> LDAP server and also a default Heimdal implementation of Kerberos, also
> included in Samba. Thus, the password (or it's hash) doesn't get stored in
> the LDAP directory (correct me if I'm wrong).
> I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP,
> Samba and MIT
> Kerberos passwords at the same time. (Then the password hash would end in
> the directory, where I could synchronized from). But I guess I can't use it
> for Samba's internal LDAP server.
> I've also investigated on how and where and how Samba stores domain users
> passwords, but I have difficulties to track the update procedure... Is
> there somewhere I could "intercept" or "get" the password or a usable hash
> from ? Sorry for my poor english, I'm basically speaking french, and hope
> I've made myself clear...
> Thank you
> Fabien Toune
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list