[Samba] Synchronizing passwords to Samba 4

[Sebastien BEAUDLOT]

Actually, i can update unicodePwd through LSC, and new password is working for authentication.
This is the intended feature, so problem seems solved.

--
Sébastien BEAUDLOT
Université d'Avignon et des Pays de Vaucluse
--

----- Mail original -----
De: "samba" <samba at lists.samba.org>
À: "samba" <samba at lists.samba.org>
Envoyé: Vendredi 28 Septembre 2018 12:16:41
Objet: Re: [Samba] Synchronizing passwords to Samba 4

On Fri, 28 Sep 2018 11:49:47 +0200
Denis Cardon via samba <samba at lists.samba.org> wrote:

> Hi Sébastien,
> 
> >> I'm trying to synchronize user accounts from LDAP to Samba 4 AD
> >> (using LSC) but it seems that password update through ldap is not
> >> allowed.
> >>
> >> I failed to find details about it, but can someone confirm that
> >> unicodePwd cannot be read / wrote trough a LDAPS connection ? Is
> >> there any workaround ?
> 
> The unicodePwd attribute is not used by AD. 

If that is the case, how come if I type my password to login, I get
logged in ?

>Active Directory use

You missed out the word 'can' between 'Directory' and 'use'
 
> multiple kerberos hashes with different encryption type and a NTLM
> hash and they are store in the supplementalCredentials attribute
> (which is neither readable of writable directly through LDAP).

That is correct.

Whilst you cannot read the unicodePWD attribute over ldap, you can set
it via ldap. you need to do it as a modify, first delete the existing
unicodePWD attribute and then add the new one. The password must be
base64 encoded inside double quotes. 
Finally, you must do all of this over SSL.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba