[Samba] Set a temporary password on user accounts (samba4)

Rowland penny rpenny at samba.org
Thu Sep 5 10:38:02 UTC 2019

On 05/09/2019 08:37, Daniel Berteaud via samba wrote:
> Hi there.
> I'm looking for a way to temporarily change password for some users.
> I have a samba4 install in DC mode (running samba 4.8.3), everything is
> working fine. I'm now migrating an email system which will use samba4
> auth (Zimbra, but doesn't matter here).
> I'd like to set a temp password, so I can migrate imap trees with
> imapsync or similar, then, when everything is done, restore the previous
> password of the users (without forcing them to reset it)
> I've red this thread :
> https://lists.samba.org/archive/samba/2017-April/207637.html. So, it
> should be possible to backup the unicodePwd attr, then restore it and
> wipe supplementalCredentials. But, I'd prefer being able to generate AES
> kerb tickets (as users do not change their password often)
> Can I backup the whole user entry, and restore it later ? Or just a set
> of attributes ? Only supplementalCredentials and unicodePwd are enough ?

No, you cannot backup and restore the entire AD object, a lot of the 
attributes are only writeable by the system.

You can certainly try to do what you propose, but I think your best 
option would be to change the users password, do your imap migration, 
then change the password again with 'must change password at next 
logon', not really what you want do.

> In the SMB 3 days, I could just backup hashes from /etc/shadow and
> /etc/smb/smbpasswd (or OpenLDAP depending on the backend) and then
> restore them, it was easy.

And a lot less secure ;-)


More information about the samba mailing list