[Samba] Syncing password change across NT4 and AD domains

Konstantin Boyandin lists at boyandin.info
Tue Sep 18 08:10:42 UTC 2018


Hello,

Thanks to the assistance from Samba devs, I managed to upgrade existing 
Samba 3 (NT4) domain to Samba 4 (they are co-existing in the same 
network, while services/computers are being migrated to AD).

The sequence of actions was
- run "classic upgrade" against local OpenLDAP-based replica of existing 
NT4 domain
- extract from Samba 3 domain LDAP dump Posix attributes for users 
(required to log on to Unix systems)
- import the mentioned LDIF containing extracted attributes into AD 
(with ldbmodify)
- set up authentication at Linux servers via Kerberos 5 (+ LDAP to get 
user Posix attributes)

(in case someone could use details, I can post elsewhere my working 
notes)

There's a small task remaining, save switching other services to 
authentication against Samba 4: syncing users passwords.

On Samba 4, as far as I understand, non-root users change their AD 
passwords via "smbpasswd".

On Samba 3 setup we use "smbldap-passwd" utility.

Question: how do I sync passwords, to avoid, when possible, changing 
passwords on both domains for the duration of migration period? Ugly 
approach would be to get user's input at smbldap-passwd and pass it to 
"samba-tool" on Samba 4 DC, to change the password for the same user.

Is there something less ugly and without obvious security issues?

Thanks.

Sincerely,
Konstantin



More information about the samba mailing list