[Samba] Syncing password change across NT4 and AD domains
lists at boyandin.info
Tue Sep 18 08:10:42 UTC 2018
Thanks to the assistance from Samba devs, I managed to upgrade existing
Samba 3 (NT4) domain to Samba 4 (they are co-existing in the same
network, while services/computers are being migrated to AD).
The sequence of actions was
- run "classic upgrade" against local OpenLDAP-based replica of existing
- extract from Samba 3 domain LDAP dump Posix attributes for users
(required to log on to Unix systems)
- import the mentioned LDIF containing extracted attributes into AD
- set up authentication at Linux servers via Kerberos 5 (+ LDAP to get
user Posix attributes)
(in case someone could use details, I can post elsewhere my working
There's a small task remaining, save switching other services to
authentication against Samba 4: syncing users passwords.
On Samba 4, as far as I understand, non-root users change their AD
passwords via "smbpasswd".
On Samba 3 setup we use "smbldap-passwd" utility.
Question: how do I sync passwords, to avoid, when possible, changing
passwords on both domains for the duration of migration period? Ugly
approach would be to get user's input at smbldap-passwd and pass it to
"samba-tool" on Samba 4 DC, to change the password for the same user.
Is there something less ugly and without obvious security issues?
More information about the samba