[Samba] Set a temporary password on user accounts (samba4)

Daniel Berteaud daniel at firewall-services.com
Thu Sep 5 10:43:59 UTC 2019

Le 05/09/2019 à 12:38, Rowland penny via samba a écrit :
>> Can I backup the whole user entry, and restore it later ? Or just a set
>> of attributes ? Only supplementalCredentials and unicodePwd are enough ?
> No, you cannot backup and restore the entire AD object, a lot of the
> attributes are only writeable by the system.

Even with ldbmodify ?

> You can certainly try to do what you propose, but I think your best
> option would be to change the users password, do your imap migration,
> then change the password again with 'must change password at next
> logon', not really what you want do.

Yep, that's the easy path, but I'd like to avoid it. In this case it's
for a one shot imap migration, but I sometime have to impersonate a user
for debuging purpose, and being able to restore the previous password
without bothering users with password reset is a must.

>> In the SMB 3 days, I could just backup hashes from /etc/shadow and
>> /etc/smb/smbpasswd (or OpenLDAP depending on the backend) and then
>> restore them, it was easy.
> And a lot less secure ;-)

A bit less, but if the DC is compromised, I'm screwed anyway, so ...

More information about the samba mailing list