[Samba] Google Cloud Directory Service password synchronization for AD DC

Lapin Blanc fabien.toune at lapin-blanc.com
Thu Mar 22 22:39:20 UTC 2018

Thank you very much for this help. I'll dig deeper into your suggestion.
I'm new to samba, trying to catch up as fast as I can ;-)
As google only accepts plain text, Base64, MD5 or SHA1, I'll probably look
for OpenLDAP-type hashes.

I'll read as many samba doc as I can and dig for technical informations on
how to get there



2018-03-22 21:55 GMT+01:00 Garming Sam <garming at catalyst.net.nz>:

> Hi,
> If you look at both:
> samba-tool user getpassword --help
> samba-tool user syncpasswords --help
> You may be able to find the information that you're looking for. Samba
> does store all the hashes in the LDAP directory, but you have to
> normally access them directly from the system (not over LDAP). You
> should also note that our Kerberos server reads and updates the password
> stored in the directory. You can access the standard unicodePwd with the
> NTHASH, but we also additionally generate a number of hashes following
> the Windows WDigest schemes as well as OpenLDAP-type hashes (configured
> in the smb.conf, more details
> https://www.samba.org/samba/history/samba-4.7.0.html). Alternatively
> there's also gpg-encrypted access to plaintext passwords, but if you
> really want to avoid plaintext, then looking at the other methods would
> be ideal.
> In theory, this is all supposed to work. I don't think we have any real
> documentation on the wiki for assisting people, but we could probably do
> with one.
> Cheers,
> Garming
> On 23/03/18 08:58, Lapin Blanc via samba wrote:
> >  I'm trying to have my Samba 4 AD DC users mapped and synchronized with
> > google apps for education accounts.
> > I would like to start from the native windows password update procedure
> to
> > eventually update the google apps password (actually, I think only some
> > types of hashes are stored).
> >
> > Google actually provides a tool to synchronize user accounts and profiles
> > which works juste fine. This tools queries an LDAP directory, extracts
> > relevant informations and sync them with google apps.
> > It would also synchronize passwords if there were in the LDAP directory.
> > Actually, if I manually set a "userPassword" attribute for a user, using
> > MD5 hash for example, synchronization works just fine and the google apps
> > account gets updated.
> >
> > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal
> > LDAP server and also a default Heimdal implementation of Kerberos, also
> > included in Samba. Thus, the password (or it's hash) doesn't get stored
> in
> > the LDAP directory (correct me if I'm wrong).
> >
> > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP,
> > Samba and MIT
> > Kerberos passwords at the same time. (Then the password hash would end in
> > the directory, where I could synchronized from). But I guess I can't use
> it
> > for Samba's internal LDAP server.
> >
> > I've also investigated on how and where and how Samba stores domain users
> > passwords, but I have difficulties to track the update procedure... Is
> > there somewhere I could "intercept" or "get" the password or a usable
> hash
> > from ? Sorry for my poor english, I'm basically speaking french, and hope
> > I've made myself clear...
> >
> > Thank you
> >
> > Fabien Toune

More information about the samba mailing list