[Samba] Google Cloud Directory Service password synchronization for AD DC

Garming Sam garming at catalyst.net.nz
Thu Mar 22 20:55:42 UTC 2018


If you look at both:

samba-tool user getpassword --help
samba-tool user syncpasswords --help

You may be able to find the information that you're looking for. Samba
does store all the hashes in the LDAP directory, but you have to
normally access them directly from the system (not over LDAP). You
should also note that our Kerberos server reads and updates the password
stored in the directory. You can access the standard unicodePwd with the
NTHASH, but we also additionally generate a number of hashes following
the Windows WDigest schemes as well as OpenLDAP-type hashes (configured
in the smb.conf, more details
https://www.samba.org/samba/history/samba-4.7.0.html). Alternatively
there's also gpg-encrypted access to plaintext passwords, but if you
really want to avoid plaintext, then looking at the other methods would
be ideal.

In theory, this is all supposed to work. I don't think we have any real
documentation on the wiki for assisting people, but we could probably do
with one.



On 23/03/18 08:58, Lapin Blanc via samba wrote:
>  I'm trying to have my Samba 4 AD DC users mapped and synchronized with
> google apps for education accounts.
> I would like to start from the native windows password update procedure to
> eventually update the google apps password (actually, I think only some
> types of hashes are stored).
> Google actually provides a tool to synchronize user accounts and profiles
> which works juste fine. This tools queries an LDAP directory, extracts
> relevant informations and sync them with google apps.
> It would also synchronize passwords if there were in the LDAP directory.
> Actually, if I manually set a "userPassword" attribute for a user, using
> MD5 hash for example, synchronization works just fine and the google apps
> account gets updated.
> Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal
> LDAP server and also a default Heimdal implementation of Kerberos, also
> included in Samba. Thus, the password (or it's hash) doesn't get stored in
> the LDAP directory (correct me if I'm wrong).
> I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP,
> Samba and MIT
> Kerberos passwords at the same time. (Then the password hash would end in
> the directory, where I could synchronized from). But I guess I can't use it
> for Samba's internal LDAP server.
> I've also investigated on how and where and how Samba stores domain users
> passwords, but I have difficulties to track the update procedure... Is
> there somewhere I could "intercept" or "get" the password or a usable hash
> from ? Sorry for my poor english, I'm basically speaking french, and hope
> I've made myself clear...
> Thank you
> Fabien Toune

More information about the samba mailing list