[Samba] Synchronizing passwords to Samba 4
Rowland Penny
rpenny at samba.org
Fri Sep 28 10:16:41 UTC 2018
On Fri, 28 Sep 2018 11:49:47 +0200
Denis Cardon via samba <samba at lists.samba.org> wrote:
> Hi Sébastien,
>
> >> I'm trying to synchronize user accounts from LDAP to Samba 4 AD
> >> (using LSC) but it seems that password update through ldap is not
> >> allowed.
> >>
> >> I failed to find details about it, but can someone confirm that
> >> unicodePwd cannot be read / wrote trough a LDAPS connection ? Is
> >> there any workaround ?
>
> The unicodePwd attribute is not used by AD.
If that is the case, how come if I type my password to login, I get
logged in ?
>Active Directory use
You missed out the word 'can' between 'Directory' and 'use'
> multiple kerberos hashes with different encryption type and a NTLM
> hash and they are store in the supplementalCredentials attribute
> (which is neither readable of writable directly through LDAP).
That is correct.
Whilst you cannot read the unicodePWD attribute over ldap, you can set
it via ldap. you need to do it as a modify, first delete the existing
unicodePWD attribute and then add the new one. The password must be
base64 encoded inside double quotes.
Finally, you must do all of this over SSL.
Rowland
More information about the samba
mailing list