[Samba] Password synchronization from database

[Bruno Marchioro]

Hello Rowland,

We use LDAP for authentication to various systems and services. Switches,
radius, firewall, ticketing system, linux (PAM) printing service, among
others.

Our problem is that registering users, passwords, resetting passwords and
everything else is centralized in a system that saves it in a SQL database
and not in LDAP or AD as it should be.

We already sync this data, including password, with LDAP without any
problems. But we couldn't find a way to send the already encrypted password
to Samba 4.

We were able to change the password there having the user's real password,
by changing the unicodePwd or the userPassword (turning on the
fUserPwdSupport heuristic). But we were not able to change the userPassword
by sending the password already encrypted like we do with LDAP.

Bruno Rampi Marchioro


Em ter., 19 de abr. de 2022 às 09:03, Rowland Penny via samba <
samba at lists.samba.org> escreveu:

> On Tue, 2022-04-19 at 08:51 -0300, Bruno Marchioro via samba wrote:
> > Hello!
> >
> > We are migrating from Samba 3 to Samba 4 at my institution. We
> > managed to
> > install Samba 4, however, now we need to keep the user's password
> > synchronized with the other systems.
>
> This is one of the things that AD was designed for.
>
> >
> > The problem is that we don't use LDAP or AD as a source of truth for
> > passwords. Users are created and administered in a system that saves
> > the
> > encrypted password in postgres database.
>
> The password in AD is encrypted, but you may be able to use kerberos,
> in which case the password doesn't need to be encrypted.
>
> >
> > We searched several ways, but couldn't find a way to save the already
> > encrypted password in Samba 4's internal LDAP.
>
> What are the other systems ? what packages are you running on them ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>