[Samba] Try to understand samba-tool user getpassword/syncpasswords

Rowland penny rpenny at samba.org
Wed Jan 29 11:20:57 UTC 2020 

On 29/01/2020 11:00, Christian Rößner via samba wrote:
> Hi,
>
>> Am 28.01.2020 um 20:07 schrieb Rowland penny via samba <samba at lists.samba.org>:
>>
>> On 28/01/2020 18:37, Christian Rößner via samba wrote:
>>> Hello,
>>>
>>> this is my first post here. I am running a Samba AD 4.9.5 from Debian Buster (10). I have added the following line to my config:
>>>
>>> ---------------------------------------------------------
>>> password hash userPassword schemes = CryptSHA512
>>> ---------------------------------------------------------
>>>
>>> That works perfectly. By setting/changing the password of a user, a SSHA-512 is generated. I need this for an external OpenLDAP server, which also uses exactly that has algorithm.
>>>
>>> Now my question is how exactly syncpasswords works. I followed the text given by --help and initialized a cache with certain attributes giving a Python script. But it seems my script is not correct at the moment, as I only saw some records concerning the Guest account in AD.
>>>
>>> Can somebody give me more detail on how the script must be made? My thinking is that I run in an endless loop reading from stdin and whenever data comes in, I parse it and do some work.
>>>
>>> ---------------------------------------------------------
>>> #!/usr/bin/python2.7
>>>
>>> import os
>>> import sys
>>>
>>> fd_out = open("/var/log/samba/syncpws.out", "w")
>>>
>>> def main():
>>> 	while True:
>>> 		line = sys.stdin.readline()
>>> 		if line == "":
>>> 			break
>>> 		fd_out.write(line)
>>>
>>> if __name__ == "__main__":
>>> 	main()
>>>
>>> sys.exit(os.EX_OK)
>>> ---------------------------------------------------------
>>>
>>> Of course I first want to collect information, about what Samba is sending. Therefor the script is just the beginning. But it does not work. So here is what happens:
>>>
>>> ---------------------------------------------------------
>>> root at dc1 ~ # samba-tool user syncpasswords --cache-ldb-initialize --attributes=objectGUID,objectSID,sAMAccountName,userPrincipalName,userAccountControl,pwdLastSet,msDS-KeyVersionNumber,virtualCryptSHA512 --script=/usr/local/bin/syncpws.py
>>> Connecting to 'ldapi:///var/lib/samba/private/ldap_priv/ldapi'
>>> Initialized cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
>>> dn: KEY=USERSYNCPASSWORDS
>>> objectClass: userSyncPasswords
>>> samdbUrl: ldapi:///var/lib/samba/private/ldap_priv/ldapi
>>> dirsyncFilter: (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:
>>>   =512)(!(sAMAccountName=krbtgt*)))
>>> dirsyncAttribute: unicodePwd
>>> dirsyncAttribute: dBCSPwd
>>> dirsyncAttribute: supplementalCredentials
>>> dirsyncAttribute: pwdLastSet
>>> dirsyncAttribute: sAMAccountName
>>> dirsyncAttribute: userPrincipalName
>>> dirsyncAttribute: userAccountControl
>>> dirsyncAttribute: isDeleted
>>> dirsyncAttribute: isRecycled
>>> dirsyncControl: dirsync:1:0:0
>>> passwordAttribute: objectGUID
>>> passwordAttribute: objectSID
>>> passwordAttribute: sAMAccountName
>>> passwordAttribute: userPrincipalName
>>> passwordAttribute: userAccountControl
>>> passwordAttribute: pwdLastSet
>>> passwordAttribute: msDS-KeyVersionNumber
>>> passwordAttribute: virtualCryptSHA512
>>> passwordAttribute: isDeleted
>>> passwordAttribute: isRecycled
>>> decryptSambaGPG: FALSE
>>> syncCommand: /usr/local/bin/syncpws.py
>>> currentTime: 20200128183012.0Z
>>> ---------------------------------------------------------
>>>
>>> Next:
>>> ---------------------------------------------------------
>>> root at dc1 ~ # samba-tool user syncpasswords --logfile=/var/log/samba/syncpasswords.log --daemon
>>> Using logfile[/var/log/samba/syncpasswords.log]
>>> ---------------------------------------------------------
>>>
>>> Output of the Python-script:
>>> ---------------------------------------------------------
>>> dn: CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
>>> objectGUID: bfccee18-25f6-450b-83e7-d0383d1381d4
>>> userAccountControl: 66082
>>> pwdLastSet: 0
>>> objectSid: S-1-5-21-3425388511-3413835514-1604983467-501
>>> sAMAccountName: Guest
>>> msDS-KeyVersionNumber: 1
>>> ---------------------------------------------------------
>>>
>>> The log file from Samba:
>>> ---------------------------------------------------------
>>> Tue Jan 28 19:31:09 2020: pid[4920]: Attached to logfile[/var/log/samba/syncpasswords.log]
>>> Tue Jan 28 19:31:09 2020: pid[4920]: Using cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
>>> Tue Jan 28 19:31:09 2020: pid[4922]: Daemonized as pid 4922 (from 4920)
>>> Tue Jan 28 19:31:09 2020: pid[4922]: Using cache_ldb[/var/lib/samba/private/user-syncpasswords-cache.ldb]
>>> Tue Jan 28 19:31:09 2020: pid[4922]: currentPid: 4922
>>> Tue Jan 28 19:31:09 2020: pid[4922]: Wait before connect - sleep(1)
>>> Tue Jan 28 19:31:10 2020: pid[4922]: Connecting to 'ldapi:///var/lib/samba/private/ldap_priv/ldapi'
>>> Tue Jan 28 19:31:10 2020: pid[4922]: Resuming monitoring
>>> dirsyncFilter: (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(sAMAccountName=krbtgt*)))
>>> dirsyncControls: ['dirsync:1:0:0', 'extended_dn:1:0']
>>> syncCommand: /usr/local/bin/syncpws.py
>>> Tue Jan 28 19:31:10 2020: pid[4922]: dirsync_loop(): results 10
>>> Tue Jan 28 19:31:10 2020: pid[4922]: # Dirsync[0] bfccee18-25f6-450b-83e7-d0383d1381d4 S-1-5-21-3425388511-3413835514-1604983467-501
>>> dn: <GUID=bfccee18-25f6-450b-83e7-d0383d1381d4>;<SID=S-1-5-21-3425388511-3413835514-1604983467-501>;CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
>>> sAMAccountName: Guest
>>> pwdLastSet: 0
>>> userAccountControl: 66082
>>> objectGUID: bfccee18-25f6-450b-83e7-d0383d1381d4
>>> instanceType: 4
>>>
>>> Tue Jan 28 19:31:10 2020: pid[4922]: # Passwords[0] bfccee18-25f6-450b-83e7-d0383d1381d4 S-1-5-21-3425388511-3413835514-1604983467-501
>>> # attrs=['dn', 'msDS-KeyVersionNumber', 'objectGUID', 'objectSid', 'pwdLastSet', 'sAMAccountName', 'userAccountControl']
>>> Tue Jan 28 19:31:10 2020: pid[4922]: Call Popen[/usr/local/bin/syncpws.py] for CN=Guest,CN=Users,DC=kanzlei,DC=ra-roessner-merle,DC=de
>>> Tue Jan 28 19:31:10 2020: pid[4922]:
>>> Tue Jan 28 19:31:10 2020: pid[4922]: RESULT: 0
>>> ERROR(exception): uncaught exception - ERROR: 0 -
>>>
>>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
>>>      return self.run(*args, **kwargs)
>>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2351, in run
>>>      sync_loop(wait)
>>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2240, in sync_loop
>>>      dirsync_loop()
>>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2217, in dirsync_loop
>>>      handle_object(ri, r)
>>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 2027, in handle_object
>>>      run_sync_command(obj.dn, ldif)
>>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 1996, in run_sync_command
>>>      raise Exception("ERROR: %s - %s\n" % (res, reply))
>>> ---------------------------------------------------------
>>>
>>> So the last file seems to show errors. What is wrong here?
>>>
>>> Many thanks in advance for any help on that. Would be really nice to understand on how things should go
>>>
>>> Christian
>> Try reading this:
>>
>> https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP
> first of all thanks for the reply. I folloed this guide and modified the Python script a little bit to be Python3.7 compatible and other little improvements for my setup. Unfortunately it does not succeed.
>
> I have created the GPG key and added the key id to the smb.conf. After that I restarted Samba and reset a user password. After looking in the logs I noticed that the secretes are not given to the script.
>
> I fear that comes from the fact that this installation was not a fresh installation. It already has users and the setup was created initally without GPG key. Therefor there exists that secret key from Samba itself:
>
> encrypted_secrets.key
>
> und /var/lib/samba/private.
>
> Are there any chances to get thing working in an already existing environment?
I thought that was one of the requirements, an existing domain.
>
> If I call the samba-tool user getpassword manually, I can see that the virtualCryptSHA512 is returned. So I wonder why this field is not sent through syncpasswords command??

The script I pointed you to, belongs to Tranquil IT, so Perhaps Denis 
Cardon could comment here.

Rowland

More information about the samba mailing list