[Samba] Import of exported unicodePwd does not update Kerberos password

Rowland Penny rpenny at samba.org
Mon Dec 2 15:11:00 UTC 2024


On Mon, 2 Dec 2024 15:48:50 +0100
"Emil.s" <emil at sandnabba.se> wrote:

> > it is supposed to be write-only. You can read the attribute on
> > Samba, but what you get back isn't the password, is a 64bit hash of
> > the password.
> 
> Ah, right. I guess this is somewhat legacy functionality then?
> 
> > Why would you backup a user ?
> 
> I see many cases where this could be useful:
> * Pre-provisioning of users where we get the user list from a 3rd
> party source.

Use a CVS list

> * Copying of users from one system to another.

Why, again you could use a CVS list, or just leverage AD.

> 
> I guess the root cause here is that the same script seems to be used
> for both importing new accounts (with plaintext passwords), as well as
> restoring previously "exported" users from the system.
> Hence it was convenient to just loop over each user regardless of the
> case.

It wouldn't matter either way if you used a CVS list, set a random
password and st it to be changed at first login.

> 
> > The correct backup is to run multiple DCs.
> 
> Multiple DCs might get redundancy and higher availability, but it's
> not a backup of the data.
> It won't protect against data corruption, accidents, and
> malicious activities.

Well no, but corruption is more likely to be caused by something by
drive failure etc and this will probably limited to one machine.

> 
> To give some context we are deploying fully independent systems in
> isolated environments. However some users might have to exist in
> multiple environments (and could previously be "copied" by exporting
> the user + password hash from one system to another).
> In many other systems (like the host Linux OS, SQL databases, etc.)
> the user credentials is just a pair of username and hashed, salted
> password. But I understand if Kerberos and SSO solutions make this
> more complicated.

Sort of thing that AD was written for.

> 
> Anyhow, I guess a full AD backup using `samba-tool domain backup` is
> the way forward here.

It is more domain data backup than 'full AD'.

> 
> I was mostly curious about how things are supposed to work these
> days. The script is many years old and will need a rewrite anyhow.

Samba AD has changed tremendously since the initial 4.0.0 release and
just keeps getting better and better.

Rowland
 



More information about the samba mailing list