[Samba] Synchronizing user passwords between Samba AD and Google Workspace

Thomas Kamalakis thkam at hua.gr
Mon Apr 11 18:26:57 UTC 2022

Another approach could be to have a central point where the password is
changed and then you can propagate the right hash to whatever backend you

Self service password https://github.com/ltb-project/self-service-password
can take care of the AD and you can use a posthook script to send the has h
to Google.


On Fri, 8 Apr 2022, 13:47 Andrew Bartlett via samba, <samba at lists.samba.org>

> On Fri, 2022-04-08 at 11:28 +0200, Sven Schwedas via samba wrote:
> > Google offers a Windows® binary to sync Active Directory passwords to
> > Google Workspace via their API. Does anyone have a solution for this
> > that works with native Samba?
> >
> > As far as I can see there's two options:
> >
> > • something something gpg and samba-tool user syncpasswords. Manpages
> > tell me this is the preferred solution, but nowhere document how to make
> > it work. And it leaks plain text passwords if anyone steals the GPG key,
> > which isn't great anyway.
> >
> > • If I set `password hash userPassword schemes =
> > CryptSHA512:rounds=10000`, I can sync the value of
> > `supplementalCredentials` directly to the workspace API without having
> > the plaintext anywhere, as far as I understand Google's Directory API.
> >
> > But I can't find any practical examples for either solution. Does anyone
> > have experience with either and can weigh in on which would be easier?
> >
> > ("Why do you need Google synchronisation in the first place?" Politics.
> > It's either syncing Samba to GW, or losing all control over our user
> > data entirely, so I'd prefer to keep Samba around. Getting rid of Google
> > isn't an option currently.)
> It won't be the value of supplementalCredentials directly, it is
> accessed via the same samba-tool user syncpasswords system, but avoids
> the need for the GPG stuff and the plaintext store.  As long as you
> know what hash you need at password store time, I think the 'password
> hash userPassword schemes' approach is better (but then again, that was
> my addition).
> https://github.com/baboons/samba4-gaps looks like a tool trying to do
> the right things.
> Andrew Bartlett
> --
> Andrew Bartlett (he/him)        https://samba.org/~abartlet/
> Samba Team Member (since 2001)  https://samba.org
> Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list