[Samba] Try to understand samba-tool user getpassword/syncpasswords

Christian Rößner lists at mlserv.org
Tue Jan 28 18:37:38 UTC 2020 

Hello,

this is my first post here. I am running a Samba AD 4.9.5 from Debian Buster (10). I have added the following line to my config:

---------------------------------------------------------
password hash userPassword schemes = CryptSHA512
---------------------------------------------------------

That works perfectly. By setting/changing the password of a user, a SSHA-512 is generated. I need this for an external OpenLDAP server, which also uses exactly that has algorithm.

Now my question is how exactly syncpasswords works. I followed the text given by --help and initialized a cache with certain attributes giving a Python script. But it seems my script is not correct at the moment, as I only saw some records concerning the Guest account in AD.

Can somebody give me more detail on how the script must be made? My thinking is that I run in an endless loop reading from stdin and whenever data comes in, I parse it and do some work.

---------------------------------------------------------
#!/usr/bin/python2.7

import os
import sys

fd_out = open("/var/log/samba/syncpws.out", "w")

def main():
	while True:
		line = sys.stdin.readline()
		if line == "":
			break
		fd_out.write(line)

if __name__ == "__main__":
	main()

sys.exit(os.EX_OK)
---------------------------------------------------------

Of course I first want to collect information, about what Samba is sending. Therefor the script is just the beginning. But it does not work. So here is what happens:

---------------------------------------------------------
root at dc1 ~ # samba-tool user syncpasswords --cache-ldb-initialize --attributes=objectGUID,objectSID,sAMAccountName,userPrincipalName,userAccountControl,pwdLastSet,msDS-KeyVersionNumber,virtualCryptSHA512 --script=/usr/local/bin/syncpws.py
Connecting to 'ldapi:///var/lib/samba/private/ldap_priv/ldapi'
Initialized cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
dn: KEY=USERSYNCPASSWORDS
objectClass: userSyncPasswords
samdbUrl: ldapi:///var/lib/samba/private/ldap_priv/ldapi
dirsyncFilter: (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:
 =512)(!(sAMAccountName=krbtgt*)))
dirsyncAttribute: unicodePwd
dirsyncAttribute: dBCSPwd
dirsyncAttribute: supplementalCredentials
dirsyncAttribute: pwdLastSet
dirsyncAttribute: sAMAccountName
dirsyncAttribute: userPrincipalName
dirsyncAttribute: userAccountControl
dirsyncAttribute: isDeleted
dirsyncAttribute: isRecycled
dirsyncControl: dirsync:1:0:0
passwordAttribute: objectGUID
passwordAttribute: objectSID
passwordAttribute: sAMAccountName
passwordAttribute: userPrincipalName
passwordAttribute: userAccountControl
passwordAttribute: pwdLastSet
passwordAttribute: msDS-KeyVersionNumber
passwordAttribute: virtualCryptSHA512
passwordAttribute: isDeleted
passwordAttribute: isRecycled
decryptSambaGPG: FALSE
syncCommand: /usr/local/bin/syncpws.py
currentTime: 20200128183012.0Z
---------------------------------------------------------

Next:
---------------------------------------------------------
root at dc1 ~ # samba-tool user syncpasswords --logfile=/var/log/samba/syncpasswords.log --daemon
Using logfile[/var/log/samba/syncpasswords.log]
---------------------------------------------------------

Output of the Python-script:
---------------------------------------------------------
dn: CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
objectGUID: bfccee18-25f6-450b-83e7-d0383d1381d4
userAccountControl: 66082
pwdLastSet: 0
objectSid: S-1-5-21-3425388511-3413835514-1604983467-501
sAMAccountName: Guest
msDS-KeyVersionNumber: 1
---------------------------------------------------------

The log file from Samba:
---------------------------------------------------------
Tue Jan 28 19:31:09 2020: pid[4920]: Attached to logfile[/var/log/samba/syncpasswords.log]
Tue Jan 28 19:31:09 2020: pid[4920]: Using cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
Tue Jan 28 19:31:09 2020: pid[4922]: Daemonized as pid 4922 (from 4920)
Tue Jan 28 19:31:09 2020: pid[4922]: Using cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
Tue Jan 28 19:31:09 2020: pid[4922]: currentPid: 4922
Tue Jan 28 19:31:09 2020: pid[4922]: Wait before connect - sleep(1)
Tue Jan 28 19:31:10 2020: pid[4922]: Connecting to 'ldapi:///var/lib/samba/private/ldap_priv/ldapi'
Tue Jan 28 19:31:10 2020: pid[4922]: Resuming monitoring
dirsyncFilter: (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(sAMAccountName=krbtgt*)))
dirsyncControls: ['dirsync:1:0:0', 'extended_dn:1:0']
syncCommand: /usr/local/bin/syncpws.py
Tue Jan 28 19:31:10 2020: pid[4922]: dirsync_loop(): results 10
Tue Jan 28 19:31:10 2020: pid[4922]: # Dirsync[0] bfccee18-25f6-450b-83e7-d0383d1381d4 S-1-5-21-3425388511-3413835514-1604983467-501
dn: <GUID=bfccee18-25f6-450b-83e7-d0383d1381d4>;<SID=S-1-5-21-3425388511-3413835514-1604983467-501>;CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
sAMAccountName: Guest
pwdLastSet: 0
userAccountControl: 66082
objectGUID: bfccee18-25f6-450b-83e7-d0383d1381d4
instanceType: 4

Tue Jan 28 19:31:10 2020: pid[4922]: # Passwords[0] bfccee18-25f6-450b-83e7-d0383d1381d4 S-1-5-21-3425388511-3413835514-1604983467-501
# attrs=['dn', 'msDS-KeyVersionNumber', 'objectGUID', 'objectSid', 'pwdLastSet', 'sAMAccountName', 'userAccountControl']
Tue Jan 28 19:31:10 2020: pid[4922]: Call Popen[/usr/local/bin/syncpws.py] for CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
Tue Jan 28 19:31:10 2020: pid[4922]:
Tue Jan 28 19:31:10 2020: pid[4922]: RESULT: 0
ERROR(exception): uncaught exception - ERROR: 0 -

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2351, in run
    sync_loop(wait)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2240, in sync_loop
    dirsync_loop()
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2217, in dirsync_loop
    handle_object(ri, r)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2027, in handle_object
    run_sync_command(obj.dn, ldif)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 1996, in run_sync_command
    raise Exception("ERROR: %s - %s\n" % (res, reply))
---------------------------------------------------------

So the last file seems to show errors. What is wrong here?

Many thanks in advance for any help on that. Would be really nice to understand on how things should go

Christian
-- 
Rößner-Network-Solutions
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5

More information about the samba mailing list