[Samba] Try to understand samba-tool user getpassword/syncpasswords

Christian Rößner lists at mlserv.org
Wed Jan 29 11:00:50 UTC 2020 

Hi,

> Am 28.01.2020 um 20:07 schrieb Rowland penny via samba <samba at lists.samba.org>:
> 
> On 28/01/2020 18:37, Christian Rößner via samba wrote:
>> Hello,
>> 
>> this is my first post here. I am running a Samba AD 4.9.5 from Debian Buster (10). I have added the following line to my config:
>> 
>> ---------------------------------------------------------
>> password hash userPassword schemes = CryptSHA512
>> ---------------------------------------------------------
>> 
>> That works perfectly. By setting/changing the password of a user, a SSHA-512 is generated. I need this for an external OpenLDAP server, which also uses exactly that has algorithm.
>> 
>> Now my question is how exactly syncpasswords works. I followed the text given by --help and initialized a cache with certain attributes giving a Python script. But it seems my script is not correct at the moment, as I only saw some records concerning the Guest account in AD.
>> 
>> Can somebody give me more detail on how the script must be made? My thinking is that I run in an endless loop reading from stdin and whenever data comes in, I parse it and do some work.
>> 
>> ---------------------------------------------------------
>> #!/usr/bin/python2.7
>> 
>> import os
>> import sys
>> 
>> fd_out = open("/var/log/samba/syncpws.out", "w")
>> 
>> def main():
>> 	while True:
>> 		line = sys.stdin.readline()
>> 		if line == "":
>> 			break
>> 		fd_out.write(line)
>> 
>> if __name__ == "__main__":
>> 	main()
>> 
>> sys.exit(os.EX_OK)
>> ---------------------------------------------------------
>> 
>> Of course I first want to collect information, about what Samba is sending. Therefor the script is just the beginning. But it does not work. So here is what happens:
>> 
>> ---------------------------------------------------------
>> root at dc1 ~ # samba-tool user syncpasswords --cache-ldb-initialize --attributes=objectGUID,objectSID,sAMAccountName,userPrincipalName,userAccountControl,pwdLastSet,msDS-KeyVersionNumber,virtualCryptSHA512 --script=/usr/local/bin/syncpws.py
>> Connecting to 'ldapi:///var/lib/samba/private/ldap_priv/ldapi'
>> Initialized cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
>> dn: KEY=USERSYNCPASSWORDS
>> objectClass: userSyncPasswords
>> samdbUrl: ldapi:///var/lib/samba/private/ldap_priv/ldapi
>> dirsyncFilter: (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:
>>  =512)(!(sAMAccountName=krbtgt*)))
>> dirsyncAttribute: unicodePwd
>> dirsyncAttribute: dBCSPwd
>> dirsyncAttribute: supplementalCredentials
>> dirsyncAttribute: pwdLastSet
>> dirsyncAttribute: sAMAccountName
>> dirsyncAttribute: userPrincipalName
>> dirsyncAttribute: userAccountControl
>> dirsyncAttribute: isDeleted
>> dirsyncAttribute: isRecycled
>> dirsyncControl: dirsync:1:0:0
>> passwordAttribute: objectGUID
>> passwordAttribute: objectSID
>> passwordAttribute: sAMAccountName
>> passwordAttribute: userPrincipalName
>> passwordAttribute: userAccountControl
>> passwordAttribute: pwdLastSet
>> passwordAttribute: msDS-KeyVersionNumber
>> passwordAttribute: virtualCryptSHA512
>> passwordAttribute: isDeleted
>> passwordAttribute: isRecycled
>> decryptSambaGPG: FALSE
>> syncCommand: /usr/local/bin/syncpws.py
>> currentTime: 20200128183012.0Z
>> ---------------------------------------------------------
>> 
>> Next:
>> ---------------------------------------------------------
>> root at dc1 ~ # samba-tool user syncpasswords --logfile=/var/log/samba/syncpasswords.log --daemon
>> Using logfile[/var/log/samba/syncpasswords.log]
>> ---------------------------------------------------------
>> 
>> Output of the Python-script:
>> ---------------------------------------------------------
>> dn: CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
>> objectGUID: bfccee18-25f6-450b-83e7-d0383d1381d4
>> userAccountControl: 66082
>> pwdLastSet: 0
>> objectSid: S-1-5-21-3425388511-3413835514-1604983467-501
>> sAMAccountName: Guest
>> msDS-KeyVersionNumber: 1
>> ---------------------------------------------------------
>> 
>> The log file from Samba:
>> ---------------------------------------------------------
>> Tue Jan 28 19:31:09 2020: pid[4920]: Attached to logfile[/var/log/samba/syncpasswords.log]
>> Tue Jan 28 19:31:09 2020: pid[4920]: Using cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
>> Tue Jan 28 19:31:09 2020: pid[4922]: Daemonized as pid 4922 (from 4920)
>> Tue Jan 28 19:31:09 2020: pid[4922]: Using cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
>> Tue Jan 28 19:31:09 2020: pid[4922]: currentPid: 4922
>> Tue Jan 28 19:31:09 2020: pid[4922]: Wait before connect - sleep(1)
>> Tue Jan 28 19:31:10 2020: pid[4922]: Connecting to 'ldapi:///var/lib/samba/private/ldap_priv/ldapi'
>> Tue Jan 28 19:31:10 2020: pid[4922]: Resuming monitoring
>> dirsyncFilter: (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(sAMAccountName=krbtgt*)))
>> dirsyncControls: ['dirsync:1:0:0', 'extended_dn:1:0']
>> syncCommand: /usr/local/bin/syncpws.py
>> Tue Jan 28 19:31:10 2020: pid[4922]: dirsync_loop(): results 10
>> Tue Jan 28 19:31:10 2020: pid[4922]: # Dirsync[0] bfccee18-25f6-450b-83e7-d0383d1381d4 S-1-5-21-3425388511-3413835514-1604983467-501
>> dn: <GUID=bfccee18-25f6-450b-83e7-d0383d1381d4>;<SID=S-1-5-21-3425388511-3413835514-1604983467-501>;CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
>> sAMAccountName: Guest
>> pwdLastSet: 0
>> userAccountControl: 66082
>> objectGUID: bfccee18-25f6-450b-83e7-d0383d1381d4
>> instanceType: 4
>> 
>> Tue Jan 28 19:31:10 2020: pid[4922]: # Passwords[0] bfccee18-25f6-450b-83e7-d0383d1381d4 S-1-5-21-3425388511-3413835514-1604983467-501
>> # attrs=['dn', 'msDS-KeyVersionNumber', 'objectGUID', 'objectSid', 'pwdLastSet', 'sAMAccountName', 'userAccountControl']
>> Tue Jan 28 19:31:10 2020: pid[4922]: Call Popen[/usr/local/bin/syncpws.py] for CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
>> Tue Jan 28 19:31:10 2020: pid[4922]:
>> Tue Jan 28 19:31:10 2020: pid[4922]: RESULT: 0
>> ERROR(exception): uncaught exception - ERROR: 0 -
>> 
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2351, in run
>>     sync_loop(wait)
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2240, in sync_loop
>>     dirsync_loop()
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2217, in dirsync_loop
>>     handle_object(ri, r)
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2027, in handle_object
>>     run_sync_command(obj.dn, ldif)
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 1996, in run_sync_command
>>     raise Exception("ERROR: %s - %s\n" % (res, reply))
>> ---------------------------------------------------------
>> 
>> So the last file seems to show errors. What is wrong here?
>> 
>> Many thanks in advance for any help on that. Would be really nice to understand on how things should go
>> 
>> Christian
> 
> Try reading this:
> 
> https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP

first of all thanks for the reply. I folloed this guide and modified the Python script a little bit to be Python3.7 compatible and other little improvements for my setup. Unfortunately it does not succeed.

I have created the GPG key and added the key id to the smb.conf. After that I restarted Samba and reset a user password. After looking in the logs I noticed that the secretes are not given to the script.

I fear that comes from the fact that this installation was not a fresh installation. It already has users and the setup was created initally without GPG key. Therefor there exists that secret key from Samba itself:

encrypted_secrets.key

und /var/lib/samba/private.

Are there any chances to get thing working in an already existing environment?

If I call the samba-tool user getpassword manually, I can see that the virtualCryptSHA512 is returned. So I wonder why this field is not sent through syncpasswords command??

Any help is welcome. Thanks a lot

Christian
-- 
Rößner-Network-Solutions
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5

More information about the samba mailing list