[Samba] Synchronizing passwords to Samba 4

Rowland Penny rpenny at samba.org
Fri Sep 28 10:16:41 UTC 2018

On Fri, 28 Sep 2018 11:49:47 +0200
Denis Cardon via samba <samba at lists.samba.org> wrote:

> Hi S├ębastien,
> >> I'm trying to synchronize user accounts from LDAP to Samba 4 AD
> >> (using LSC) but it seems that password update through ldap is not
> >> allowed.
> >>
> >> I failed to find details about it, but can someone confirm that
> >> unicodePwd cannot be read / wrote trough a LDAPS connection ? Is
> >> there any workaround ?
> The unicodePwd attribute is not used by AD. 

If that is the case, how come if I type my password to login, I get
logged in ?

>Active Directory use

You missed out the word 'can' between 'Directory' and 'use'
> multiple kerberos hashes with different encryption type and a NTLM
> hash and they are store in the supplementalCredentials attribute
> (which is neither readable of writable directly through LDAP).

That is correct.

Whilst you cannot read the unicodePWD attribute over ldap, you can set
it via ldap. you need to do it as a modify, first delete the existing
unicodePWD attribute and then add the new one. The password must be
base64 encoded inside double quotes. 
Finally, you must do all of this over SSL.


More information about the samba mailing list