[Samba] Synchronizing user passwords between Samba AD and Google Workspace
Andrew Bartlett
abartlet at samba.org
Fri Apr 8 10:45:12 UTC 2022
On Fri, 2022-04-08 at 11:28 +0200, Sven Schwedas via samba wrote:
> Google offers a Windows® binary to sync Active Directory passwords to
> Google Workspace via their API. Does anyone have a solution for this
> that works with native Samba?
>
> As far as I can see there's two options:
>
> • something something gpg and samba-tool user syncpasswords. Manpages
> tell me this is the preferred solution, but nowhere document how to make
> it work. And it leaks plain text passwords if anyone steals the GPG key,
> which isn't great anyway.
>
> • If I set `password hash userPassword schemes =
> CryptSHA512:rounds=10000`, I can sync the value of
> `supplementalCredentials` directly to the workspace API without having
> the plaintext anywhere, as far as I understand Google's Directory API.
>
> But I can't find any practical examples for either solution. Does anyone
> have experience with either and can weigh in on which would be easier?
>
> ("Why do you need Google synchronisation in the first place?" Politics.
> It's either syncing Samba to GW, or losing all control over our user
> data entirely, so I'd prefer to keep Samba around. Getting rid of Google
> isn't an option currently.)
It won't be the value of supplementalCredentials directly, it is
accessed via the same samba-tool user syncpasswords system, but avoids
the need for the GPG stuff and the plaintext store. As long as you
know what hash you need at password store time, I think the 'password
hash userPassword schemes' approach is better (but then again, that was
my addition).
https://github.com/baboons/samba4-gaps looks like a tool trying to do
the right things.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba
mailing list