[Samba] Google Cloud Directory Service password synchronization for AD DC
Andrew Bartlett
abartlet at samba.org
Thu Mar 22 21:37:23 UTC 2018
On Thu, 2018-03-22 at 21:15 +0100, Lapin Blanc via samba wrote:
> Hi Justin,
>
> Thank you for your answer, I had found this utility during my searches, and
> will probably try it. As you say, reversible + plaintext is far for optimal
> from a security point of view.
> Also, I would like to integrate the solution in a "packaged" distribution
> like for example Zentyal or UCS.
> But I'm happy to learn that this solution is viable, I wouldn't lose my
> time digging in that direction
There is a better solution. Samba now stores a crypt() password hash
for exactly this purpose.
Look into the password sync stuff metze did and use Samba 4.7 or above
and the virtualCryptSHA256 attribute.
Then please patch samba4-gaps to use that please :-)
Andrew Bartlett
> 2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman at dignitastechnologies.com
> > :
> > Fabien,
> >
> > The way that we’ve accomplished this was to ensure that all users have the
> > “Store passwords using reversible encryption” (which is not optimal) and
> > use a utility called “samba4-gaps.”
> >
> > Also:
> > samba-tool domain passwordsettings set --store-plaintext=on
> >
> > Works perfectly.
> >
> > https://github.com/baboons/samba4-gaps
> >
> > Justin
> >
> > > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba <
> >
> > samba at lists.samba.org> wrote:
> > >
> > > I'm trying to have my Samba 4 AD DC users mapped and synchronized with
> > > google apps for education accounts.
> > > I would like to start from the native windows password update procedure
> >
> > to
> > > eventually update the google apps password (actually, I think only some
> > > types of hashes are stored).
> > >
> > > Google actually provides a tool to synchronize user accounts and profiles
> > > which works juste fine. This tools queries an LDAP directory, extracts
> > > relevant informations and sync them with google apps.
> > > It would also synchronize passwords if there were in the LDAP directory.
> > > Actually, if I manually set a "userPassword" attribute for a user, using
> > > MD5 hash for example, synchronization works just fine and the google apps
> > > account gets updated.
> > >
> > > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal
> > > LDAP server and also a default Heimdal implementation of Kerberos, also
> > > included in Samba. Thus, the password (or it's hash) doesn't get stored
> >
> > in
> > > the LDAP directory (correct me if I'm wrong).
> > >
> > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP,
> > > Samba and MIT
> > > Kerberos passwords at the same time. (Then the password hash would end in
> > > the directory, where I could synchronized from). But I guess I can't use
> >
> > it
> > > for Samba's internal LDAP server.
> > >
> > > I've also investigated on how and where and how Samba stores domain users
> > > passwords, but I have difficulties to track the update procedure... Is
> > > there somewhere I could "intercept" or "get" the password or a usable
> >
> > hash
> > > from ? Sorry for my poor english, I'm basically speaking french, and hope
> > > I've made myself clear...
> > >
> > > Thank you
> > >
> > > Fabien Toune
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list