Web lists-archives.com

Re: [Samba] Google Cloud Directory Service password synchronization for AD DC




Fabien,

The way that we’ve accomplished this was to ensure that all users have the “Store passwords using reversible encryption” (which is not optimal) and use a utility called “samba4-gaps.”

Also:
samba-tool domain passwordsettings set --store-plaintext=on

Works perfectly.

https://github.com/baboons/samba4-gaps

Justin

> On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
> I'm trying to have my Samba 4 AD DC users mapped and synchronized with
> google apps for education accounts.
> I would like to start from the native windows password update procedure to
> eventually update the google apps password (actually, I think only some
> types of hashes are stored).
> 
> Google actually provides a tool to synchronize user accounts and profiles
> which works juste fine. This tools queries an LDAP directory, extracts
> relevant informations and sync them with google apps.
> It would also synchronize passwords if there were in the LDAP directory.
> Actually, if I manually set a "userPassword" attribute for a user, using
> MD5 hash for example, synchronization works just fine and the google apps
> account gets updated.
> 
> Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal
> LDAP server and also a default Heimdal implementation of Kerberos, also
> included in Samba. Thus, the password (or it's hash) doesn't get stored in
> the LDAP directory (correct me if I'm wrong).
> 
> I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP,
> Samba and MIT
> Kerberos passwords at the same time. (Then the password hash would end in
> the directory, where I could synchronized from). But I guess I can't use it
> for Samba's internal LDAP server.
> 
> I've also investigated on how and where and how Samba stores domain users
> passwords, but I have difficulties to track the update procedure... Is
> there somewhere I could "intercept" or "get" the password or a usable hash
> from ? Sorry for my poor english, I'm basically speaking french, and hope
> I've made myself clear...
> 
> Thank you
> 
> Fabien Toune
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba