Web lists-archives.com

[Samba] Syncing password change across NT4 and AD domains


Thanks to the assistance from Samba devs, I managed to upgrade existing Samba 3 (NT4) domain to Samba 4 (they are co-existing in the same network, while services/computers are being migrated to AD).

The sequence of actions was
- run "classic upgrade" against local OpenLDAP-based replica of existing NT4 domain - extract from Samba 3 domain LDAP dump Posix attributes for users (required to log on to Unix systems) - import the mentioned LDIF containing extracted attributes into AD (with ldbmodify) - set up authentication at Linux servers via Kerberos 5 (+ LDAP to get user Posix attributes)

(in case someone could use details, I can post elsewhere my working notes)

There's a small task remaining, save switching other services to authentication against Samba 4: syncing users passwords.

On Samba 4, as far as I understand, non-root users change their AD passwords via "smbpasswd".

On Samba 3 setup we use "smbldap-passwd" utility.

Question: how do I sync passwords, to avoid, when possible, changing passwords on both domains for the duration of migration period? Ugly approach would be to get user's input at smbldap-passwd and pass it to "samba-tool" on Samba 4 DC, to change the password for the same user.

Is there something less ugly and without obvious security issues?



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba