Re: [Samba] Google Cloud Directory Service password synchronization for AD DC
- Date: Thu, 22 Mar 2018 23:39:20 +0100
- From: Lapin Blanc via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Google Cloud Directory Service password synchronization for AD DC
Thank you very much for this help. I'll dig deeper into your suggestion.
I'm new to samba, trying to catch up as fast as I can ;-)
As google only accepts plain text, Base64, MD5 or SHA1, I'll probably look
for OpenLDAP-type hashes.
I'll read as many samba doc as I can and dig for technical informations on
how to get there
2018-03-22 21:55 GMT+01:00 Garming Sam <garming@xxxxxxxxxxxxxxx>:
> If you look at both:
> samba-tool user getpassword --help
> samba-tool user syncpasswords --help
> You may be able to find the information that you're looking for. Samba
> does store all the hashes in the LDAP directory, but you have to
> normally access them directly from the system (not over LDAP). You
> should also note that our Kerberos server reads and updates the password
> stored in the directory. You can access the standard unicodePwd with the
> NTHASH, but we also additionally generate a number of hashes following
> the Windows WDigest schemes as well as OpenLDAP-type hashes (configured
> in the smb.conf, more details
> https://www.samba.org/samba/history/samba-4.7.0.html). Alternatively
> there's also gpg-encrypted access to plaintext passwords, but if you
> really want to avoid plaintext, then looking at the other methods would
> be ideal.
> In theory, this is all supposed to work. I don't think we have any real
> documentation on the wiki for assisting people, but we could probably do
> with one.
> On 23/03/18 08:58, Lapin Blanc via samba wrote:
> > I'm trying to have my Samba 4 AD DC users mapped and synchronized with
> > google apps for education accounts.
> > I would like to start from the native windows password update procedure
> > eventually update the google apps password (actually, I think only some
> > types of hashes are stored).
> > Google actually provides a tool to synchronize user accounts and profiles
> > which works juste fine. This tools queries an LDAP directory, extracts
> > relevant informations and sync them with google apps.
> > It would also synchronize passwords if there were in the LDAP directory.
> > Actually, if I manually set a "userPassword" attribute for a user, using
> > MD5 hash for example, synchronization works just fine and the google apps
> > account gets updated.
> > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal
> > LDAP server and also a default Heimdal implementation of Kerberos, also
> > included in Samba. Thus, the password (or it's hash) doesn't get stored
> > the LDAP directory (correct me if I'm wrong).
> > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP,
> > Samba and MIT
> > Kerberos passwords at the same time. (Then the password hash would end in
> > the directory, where I could synchronized from). But I guess I can't use
> > for Samba's internal LDAP server.
> > I've also investigated on how and where and how Samba stores domain users
> > passwords, but I have difficulties to track the update procedure... Is
> > there somewhere I could "intercept" or "get" the password or a usable
> > from ? Sorry for my poor english, I'm basically speaking french, and hope
> > I've made myself clear...
> > Thank you
> > Fabien Toune
To unsubscribe from this list go to the following URL and read the