[Samba] Try to understand samba-tool user getpassword/syncpasswords

Rowland penny rpenny at samba.org
Tue Jan 28 19:07:57 UTC 2020 

On 28/01/2020 18:37, Christian Rößner via samba wrote:
> Hello,
>
> this is my first post here. I am running a Samba AD 4.9.5 from Debian Buster (10). I have added the following line to my config:
>
> ---------------------------------------------------------
> password hash userPassword schemes = CryptSHA512
> ---------------------------------------------------------
>
> That works perfectly. By setting/changing the password of a user, a SSHA-512 is generated. I need this for an external OpenLDAP server, which also uses exactly that has algorithm.
>
> Now my question is how exactly syncpasswords works. I followed the text given by --help and initialized a cache with certain attributes giving a Python script. But it seems my script is not correct at the moment, as I only saw some records concerning the Guest account in AD.
>
> Can somebody give me more detail on how the script must be made? My thinking is that I run in an endless loop reading from stdin and whenever data comes in, I parse it and do some work.
>
> ---------------------------------------------------------
> #!/usr/bin/python2.7
>
> import os
> import sys
>
> fd_out = open("/var/log/samba/syncpws.out", "w")
>
> def main():
> 	while True:
> 		line = sys.stdin.readline()
> 		if line == "":
> 			break
> 		fd_out.write(line)
>
> if __name__ == "__main__":
> 	main()
>
> sys.exit(os.EX_OK)
> ---------------------------------------------------------
>
> Of course I first want to collect information, about what Samba is sending. Therefor the script is just the beginning. But it does not work. So here is what happens:
>
> ---------------------------------------------------------
> root at dc1 ~ # samba-tool user syncpasswords --cache-ldb-initialize --attributes=objectGUID,objectSID,sAMAccountName,userPrincipalName,userAccountControl,pwdLastSet,msDS-KeyVersionNumber,virtualCryptSHA512 --script=/usr/local/bin/syncpws.py
> Connecting to 'ldapi:///var/lib/samba/private/ldap_priv/ldapi'
> Initialized cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
> dn: KEY=USERSYNCPASSWORDS
> objectClass: userSyncPasswords
> samdbUrl: ldapi:///var/lib/samba/private/ldap_priv/ldapi
> dirsyncFilter: (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:
>   =512)(!(sAMAccountName=krbtgt*)))
> dirsyncAttribute: unicodePwd
> dirsyncAttribute: dBCSPwd
> dirsyncAttribute: supplementalCredentials
> dirsyncAttribute: pwdLastSet
> dirsyncAttribute: sAMAccountName
> dirsyncAttribute: userPrincipalName
> dirsyncAttribute: userAccountControl
> dirsyncAttribute: isDeleted
> dirsyncAttribute: isRecycled
> dirsyncControl: dirsync:1:0:0
> passwordAttribute: objectGUID
> passwordAttribute: objectSID
> passwordAttribute: sAMAccountName
> passwordAttribute: userPrincipalName
> passwordAttribute: userAccountControl
> passwordAttribute: pwdLastSet
> passwordAttribute: msDS-KeyVersionNumber
> passwordAttribute: virtualCryptSHA512
> passwordAttribute: isDeleted
> passwordAttribute: isRecycled
> decryptSambaGPG: FALSE
> syncCommand: /usr/local/bin/syncpws.py
> currentTime: 20200128183012.0Z
> ---------------------------------------------------------
>
> Next:
> ---------------------------------------------------------
> root at dc1 ~ # samba-tool user syncpasswords --logfile=/var/log/samba/syncpasswords.log --daemon
> Using logfile[/var/log/samba/syncpasswords.log]
> ---------------------------------------------------------
>
> Output of the Python-script:
> ---------------------------------------------------------
> dn: CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
> objectGUID: bfccee18-25f6-450b-83e7-d0383d1381d4
> userAccountControl: 66082
> pwdLastSet: 0
> objectSid: S-1-5-21-3425388511-3413835514-1604983467-501
> sAMAccountName: Guest
> msDS-KeyVersionNumber: 1
> ---------------------------------------------------------
>
> The log file from Samba:
> ---------------------------------------------------------
> Tue Jan 28 19:31:09 2020: pid[4920]: Attached to logfile[/var/log/samba/syncpasswords.log]
> Tue Jan 28 19:31:09 2020: pid[4920]: Using cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
> Tue Jan 28 19:31:09 2020: pid[4922]: Daemonized as pid 4922 (from 4920)
> Tue Jan 28 19:31:09 2020: pid[4922]: Using cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
> Tue Jan 28 19:31:09 2020: pid[4922]: currentPid: 4922
> Tue Jan 28 19:31:09 2020: pid[4922]: Wait before connect - sleep(1)
> Tue Jan 28 19:31:10 2020: pid[4922]: Connecting to 'ldapi:///var/lib/samba/private/ldap_priv/ldapi'
> Tue Jan 28 19:31:10 2020: pid[4922]: Resuming monitoring
> dirsyncFilter: (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(sAMAccountName=krbtgt*)))
> dirsyncControls: ['dirsync:1:0:0', 'extended_dn:1:0']
> syncCommand: /usr/local/bin/syncpws.py
> Tue Jan 28 19:31:10 2020: pid[4922]: dirsync_loop(): results 10
> Tue Jan 28 19:31:10 2020: pid[4922]: # Dirsync[0] bfccee18-25f6-450b-83e7-d0383d1381d4 S-1-5-21-3425388511-3413835514-1604983467-501
> dn: <GUID=bfccee18-25f6-450b-83e7-d0383d1381d4>;<SID=S-1-5-21-3425388511-3413835514-1604983467-501>;CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
> sAMAccountName: Guest
> pwdLastSet: 0
> userAccountControl: 66082
> objectGUID: bfccee18-25f6-450b-83e7-d0383d1381d4
> instanceType: 4
>
> Tue Jan 28 19:31:10 2020: pid[4922]: # Passwords[0] bfccee18-25f6-450b-83e7-d0383d1381d4 S-1-5-21-3425388511-3413835514-1604983467-501
> # attrs=['dn', 'msDS-KeyVersionNumber', 'objectGUID', 'objectSid', 'pwdLastSet', 'sAMAccountName', 'userAccountControl']
> Tue Jan 28 19:31:10 2020: pid[4922]: Call Popen[/usr/local/bin/syncpws.py] for CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
> Tue Jan 28 19:31:10 2020: pid[4922]:
> Tue Jan 28 19:31:10 2020: pid[4922]: RESULT: 0
> ERROR(exception): uncaught exception - ERROR: 0 -
>
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2351, in run
>      sync_loop(wait)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2240, in sync_loop
>      dirsync_loop()
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2217, in dirsync_loop
>      handle_object(ri, r)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2027, in handle_object
>      run_sync_command(obj.dn, ldif)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 1996, in run_sync_command
>      raise Exception("ERROR: %s - %s\n" % (res, reply))
> ---------------------------------------------------------
>
> So the last file seems to show errors. What is wrong here?
>
> Many thanks in advance for any help on that. Would be really nice to understand on how things should go
>
> Christian

Try reading this:

https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP

Rowland

More information about the samba mailing list