Web lists-archives.com

[Samba] Syncing password change across NT4 and AD domains




Hello,

Thanks to the assistance from Samba devs, I managed to upgrade existing Samba 3 (NT4) domain to Samba 4 (they are co-existing in the same network, while services/computers are being migrated to AD).

The sequence of actions was
- run "classic upgrade" against local OpenLDAP-based replica of existing NT4 domain - extract from Samba 3 domain LDAP dump Posix attributes for users (required to log on to Unix systems) - import the mentioned LDIF containing extracted attributes into AD (with ldbmodify) - set up authentication at Linux servers via Kerberos 5 (+ LDAP to get user Posix attributes)

(in case someone could use details, I can post elsewhere my working notes)

There's a small task remaining, save switching other services to authentication against Samba 4: syncing users passwords.

On Samba 4, as far as I understand, non-root users change their AD passwords via "smbpasswd".

On Samba 3 setup we use "smbldap-passwd" utility.

Question: how do I sync passwords, to avoid, when possible, changing passwords on both domains for the duration of migration period? Ugly approach would be to get user's input at smbldap-passwd and pass it to "samba-tool" on Samba 4 DC, to change the password for the same user.

Is there something less ugly and without obvious security issues?

Thanks.

Sincerely,
Konstantin

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba