[Samba] Set a temporary password on user accounts (samba4)

[Daniel Berteaud]

Le 05/09/2019 à 12:38, Rowland penny via samba a écrit :
>>
>> Can I backup the whole user entry, and restore it later ? Or just a set
>> of attributes ? Only supplementalCredentials and unicodePwd are enough ?
>
> No, you cannot backup and restore the entire AD object, a lot of the
> attributes are only writeable by the system.


Even with ldbmodify ?


>
> You can certainly try to do what you propose, but I think your best
> option would be to change the users password, do your imap migration,
> then change the password again with 'must change password at next
> logon', not really what you want do.


Yep, that's the easy path, but I'd like to avoid it. In this case it's
for a one shot imap migration, but I sometime have to impersonate a user
for debuging purpose, and being able to restore the previous password
without bothering users with password reset is a must.


>>
>> In the SMB 3 days, I could just backup hashes from /etc/shadow and
>> /etc/smb/smbpasswd (or OpenLDAP depending on the backend) and then
>> restore them, it was easy.
>
> And a lot less secure ;-)


A bit less, but if the DC is compromised, I'm screwed anyway, so ...