[Samba] Import of exported unicodePwd does not update Kerberos password
Rowland Penny
rpenny at samba.org
Mon Dec 2 15:11:00 UTC 2024
On Mon, 2 Dec 2024 15:48:50 +0100
"Emil.s" <emil at sandnabba.se> wrote:
> > it is supposed to be write-only. You can read the attribute on
> > Samba, but what you get back isn't the password, is a 64bit hash of
> > the password.
>
> Ah, right. I guess this is somewhat legacy functionality then?
>
> > Why would you backup a user ?
>
> I see many cases where this could be useful:
> * Pre-provisioning of users where we get the user list from a 3rd
> party source.
Use a CVS list
> * Copying of users from one system to another.
Why, again you could use a CVS list, or just leverage AD.
>
> I guess the root cause here is that the same script seems to be used
> for both importing new accounts (with plaintext passwords), as well as
> restoring previously "exported" users from the system.
> Hence it was convenient to just loop over each user regardless of the
> case.
It wouldn't matter either way if you used a CVS list, set a random
password and st it to be changed at first login.
>
> > The correct backup is to run multiple DCs.
>
> Multiple DCs might get redundancy and higher availability, but it's
> not a backup of the data.
> It won't protect against data corruption, accidents, and
> malicious activities.
Well no, but corruption is more likely to be caused by something by
drive failure etc and this will probably limited to one machine.
>
> To give some context we are deploying fully independent systems in
> isolated environments. However some users might have to exist in
> multiple environments (and could previously be "copied" by exporting
> the user + password hash from one system to another).
> In many other systems (like the host Linux OS, SQL databases, etc.)
> the user credentials is just a pair of username and hashed, salted
> password. But I understand if Kerberos and SSO solutions make this
> more complicated.
Sort of thing that AD was written for.
>
> Anyhow, I guess a full AD backup using `samba-tool domain backup` is
> the way forward here.
It is more domain data backup than 'full AD'.
>
> I was mostly curious about how things are supposed to work these
> days. The script is many years old and will need a rewrite anyhow.
Samba AD has changed tremendously since the initial 4.0.0 release and
just keeps getting better and better.
Rowland
More information about the samba
mailing list