[Samba] Synchronizing passwords to Samba 4

Denis Cardon dcardon at tranquil.it
Fri Sep 28 09:49:47 UTC 2018

Hi Sébastien,

>> I'm trying to synchronize user accounts from LDAP to Samba 4 AD
>> (using LSC) but it seems that password update through ldap is not
>> allowed.
>> I failed to find details about it, but can someone confirm that
>> unicodePwd cannot be read / wrote trough a LDAPS connection ? Is
>> there any workaround ?

The unicodePwd attribute is not used by AD. Active Directory use 
multiple kerberos hashes with different encryption type and a NTLM hash 
and they are store in the supplementalCredentials attribute (which is 
neither readable of writable directly through LDAP).

If you want to pipe a password hash from an OpenLDAP to a Samba-AD, the 
only solution is to have the NTLM hash and use the pdbedit --set-nt-hash 
command line on the domain controller. It will store the NTLM hash and 
create a derivative kerberos hash from that NTLM hash.

Another solution is to use a webgui for password change and change the 
password both in OpenLDAP and Samba-AD from that webgui script.

If it is possible to let Samba-AD handle all password change, then you 
can ask Samba to create different password hashes when someone changes 
its password from its Windows workstation. Then you can pipe the hashes 
in OpenLDAP from the Samba-AD.



>> Regards.
> No you cannot read the unicode password over the wire, but there is
> always samba-tool ;-)
> read 'samba-tool user syncpasswords --help'
> Rowland

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0)

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba mailing list