[Samba] Synchronizing passwords to Samba 4
dcardon at tranquil.it
Fri Sep 28 09:49:47 UTC 2018
>> I'm trying to synchronize user accounts from LDAP to Samba 4 AD
>> (using LSC) but it seems that password update through ldap is not
>> I failed to find details about it, but can someone confirm that
>> unicodePwd cannot be read / wrote trough a LDAPS connection ? Is
>> there any workaround ?
The unicodePwd attribute is not used by AD. Active Directory use
multiple kerberos hashes with different encryption type and a NTLM hash
and they are store in the supplementalCredentials attribute (which is
neither readable of writable directly through LDAP).
If you want to pipe a password hash from an OpenLDAP to a Samba-AD, the
only solution is to have the NTLM hash and use the pdbedit --set-nt-hash
command line on the domain controller. It will store the NTLM hash and
create a derivative kerberos hash from that NTLM hash.
Another solution is to use a webgui for password change and change the
password both in OpenLDAP and Samba-AD from that webgui script.
If it is possible to let Samba-AD handle all password change, then you
can ask Samba to create different password hashes when someone changes
its password from its Windows workstation. Then you can pipe the hashes
in OpenLDAP from the Samba-AD.
> No you cannot read the unicode password over the wire, but there is
> always samba-tool ;-)
> read 'samba-tool user syncpasswords --help'
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 126.96.36.199.55
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba