[Samba] Synchronizing user passwords between Samba AD and Google Workspace

Sven Schwedas sven.schwedas at tao.at
Fri Apr 8 09:28:55 UTC 2022

Google offers a Windows® binary to sync Active Directory passwords to 
Google Workspace via their API. Does anyone have a solution for this 
that works with native Samba?

As far as I can see there's two options:

• something something gpg and samba-tool user syncpasswords. Manpages 
tell me this is the preferred solution, but nowhere document how to make 
it work. And it leaks plain text passwords if anyone steals the GPG key, 
which isn't great anyway.

• If I set `password hash userPassword schemes = 
CryptSHA512:rounds=10000`, I can sync the value of 
`supplementalCredentials` directly to the workspace API without having 
the plaintext anywhere, as far as I understand Google's Directory API.

But I can't find any practical examples for either solution. Does anyone 
have experience with either and can weigh in on which would be easier?

("Why do you need Google synchronisation in the first place?" Politics. 
It's either syncing Samba to GW, or losing all control over our user 
data entirely, so I'd prefer to keep Samba around. Getting rid of Google 
isn't an option currently.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20220408/3dda573b/OpenPGP_signature.sig>

More information about the samba mailing list