Lapin Blanc
2018-Mar-22 20:15 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
Hi Justin, Thank you for your answer, I had found this utility during my searches, and will probably try it. As you say, reversible + plaintext is far for optimal from a security point of view. Also, I would like to integrate the solution in a "packaged" distribution like for example Zentyal or UCS. But I'm happy to learn that this solution is viable, I wouldn't lose my time digging in that direction 2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman at dignitastechnologies.com>:> Fabien, > > The way that we’ve accomplished this was to ensure that all users have the > “Store passwords using reversible encryption” (which is not optimal) and > use a utility called “samba4-gaps.” > > Also: > samba-tool domain passwordsettings set --store-plaintext=on > > Works perfectly. > > https://github.com/baboons/samba4-gaps > > Justin > > > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba < > samba at lists.samba.org> wrote: > > > > I'm trying to have my Samba 4 AD DC users mapped and synchronized with > > google apps for education accounts. > > I would like to start from the native windows password update procedure > to > > eventually update the google apps password (actually, I think only some > > types of hashes are stored). > > > > Google actually provides a tool to synchronize user accounts and profiles > > which works juste fine. This tools queries an LDAP directory, extracts > > relevant informations and sync them with google apps. > > It would also synchronize passwords if there were in the LDAP directory. > > Actually, if I manually set a "userPassword" attribute for a user, using > > MD5 hash for example, synchronization works just fine and the google apps > > account gets updated. > > > > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal > > LDAP server and also a default Heimdal implementation of Kerberos, also > > included in Samba. Thus, the password (or it's hash) doesn't get stored > in > > the LDAP directory (correct me if I'm wrong). > > > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP, > > Samba and MIT > > Kerberos passwords at the same time. (Then the password hash would end in > > the directory, where I could synchronized from). But I guess I can't use > it > > for Samba's internal LDAP server. > > > > I've also investigated on how and where and how Samba stores domain users > > passwords, but I have difficulties to track the update procedure... Is > > there somewhere I could "intercept" or "get" the password or a usable > hash > > from ? Sorry for my poor english, I'm basically speaking french, and hope > > I've made myself clear... > > > > Thank you > > > > Fabien Toune > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >
Andrew Bartlett
2018-Mar-22 21:37 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
On Thu, 2018-03-22 at 21:15 +0100, Lapin Blanc via samba wrote:> Hi Justin, > > Thank you for your answer, I had found this utility during my searches, and > will probably try it. As you say, reversible + plaintext is far for optimal > from a security point of view. > Also, I would like to integrate the solution in a "packaged" distribution > like for example Zentyal or UCS. > But I'm happy to learn that this solution is viable, I wouldn't lose my > time digging in that directionThere is a better solution. Samba now stores a crypt() password hash for exactly this purpose. Look into the password sync stuff metze did and use Samba 4.7 or above and the virtualCryptSHA256 attribute. Then please patch samba4-gaps to use that please :-) Andrew Bartlett> 2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman at dignitastechnologies.com > > : > > Fabien, > > > > The way that we’ve accomplished this was to ensure that all users have the > > “Store passwords using reversible encryption” (which is not optimal) and > > use a utility called “samba4-gaps.” > > > > Also: > > samba-tool domain passwordsettings set --store-plaintext=on > > > > Works perfectly. > > > > https://github.com/baboons/samba4-gaps > > > > Justin > > > > > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba < > > > > samba at lists.samba.org> wrote: > > > > > > I'm trying to have my Samba 4 AD DC users mapped and synchronized with > > > google apps for education accounts. > > > I would like to start from the native windows password update procedure > > > > to > > > eventually update the google apps password (actually, I think only some > > > types of hashes are stored). > > > > > > Google actually provides a tool to synchronize user accounts and profiles > > > which works juste fine. This tools queries an LDAP directory, extracts > > > relevant informations and sync them with google apps. > > > It would also synchronize passwords if there were in the LDAP directory. > > > Actually, if I manually set a "userPassword" attribute for a user, using > > > MD5 hash for example, synchronization works just fine and the google apps > > > account gets updated. > > > > > > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal > > > LDAP server and also a default Heimdal implementation of Kerberos, also > > > included in Samba. Thus, the password (or it's hash) doesn't get stored > > > > in > > > the LDAP directory (correct me if I'm wrong). > > > > > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP, > > > Samba and MIT > > > Kerberos passwords at the same time. (Then the password hash would end in > > > the directory, where I could synchronized from). But I guess I can't use > > > > it > > > for Samba's internal LDAP server. > > > > > > I've also investigated on how and where and how Samba stores domain users > > > passwords, but I have difficulties to track the update procedure... Is > > > there somewhere I could "intercept" or "get" the password or a usable > > > > hash > > > from ? Sorry for my poor english, I'm basically speaking french, and hope > > > I've made myself clear... > > > > > > Thank you > > > > > > Fabien Toune > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Lapin Blanc
2018-Mar-22 22:48 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
Hello, and thank you for the answer. I'm quite new to Samba, and when you speak about Samba storing a crypt() password hash and about the virtualCryptSHA256 attribute I get the general meaning, but not the way to get to those informations. Would you have any pointer on where I could learn more about that ? I found discussions about some patches from Stefan Metzmacher in the mailing lists, is this what you mean ? Google only accepts plain text, Base64, MD5 or SHA1, I don't know if I'll found a consensus Btw, I'll keep trying and keep you informed... Cheers Fabien Toune 2018-03-22 22:37 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:> On Thu, 2018-03-22 at 21:15 +0100, Lapin Blanc via samba wrote: > > Hi Justin, > > > > Thank you for your answer, I had found this utility during my searches, > and > > will probably try it. As you say, reversible + plaintext is far for > optimal > > from a security point of view. > > Also, I would like to integrate the solution in a "packaged" distribution > > like for example Zentyal or UCS. > > But I'm happy to learn that this solution is viable, I wouldn't lose my > > time digging in that direction > > There is a better solution. Samba now stores a crypt() password hash > for exactly this purpose. > > Look into the password sync stuff metze did and use Samba 4.7 or above > and the virtualCryptSHA256 attribute. > > Then please patch samba4-gaps to use that please :-) > > Andrew Bartlett > > > 2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman@ > dignitastechnologies.com > > > : > > > Fabien, > > > > > > The way that we’ve accomplished this was to ensure that all users have > the > > > “Store passwords using reversible encryption” (which is not optimal) > and > > > use a utility called “samba4-gaps.” > > > > > > Also: > > > samba-tool domain passwordsettings set --store-plaintext=on > > > > > > Works perfectly. > > > > > > https://github.com/baboons/samba4-gaps > > > > > > Justin > > > > > > > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba < > > > > > > samba at lists.samba.org> wrote: > > > > > > > > I'm trying to have my Samba 4 AD DC users mapped and synchronized > with > > > > google apps for education accounts. > > > > I would like to start from the native windows password update > procedure > > > > > > to > > > > eventually update the google apps password (actually, I think only > some > > > > types of hashes are stored). > > > > > > > > Google actually provides a tool to synchronize user accounts and > profiles > > > > which works juste fine. This tools queries an LDAP directory, > extracts > > > > relevant informations and sync them with google apps. > > > > It would also synchronize passwords if there were in the LDAP > directory. > > > > Actually, if I manually set a "userPassword" attribute for a user, > using > > > > MD5 hash for example, synchronization works just fine and the google > apps > > > > account gets updated. > > > > > > > > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own > internal > > > > LDAP server and also a default Heimdal implementation of Kerberos, > also > > > > included in Samba. Thus, the password (or it's hash) doesn't get > stored > > > > > > in > > > > the LDAP directory (correct me if I'm wrong). > > > > > > > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change > LDAP, > > > > Samba and MIT > > > > Kerberos passwords at the same time. (Then the password hash would > end in > > > > the directory, where I could synchronized from). But I guess I can't > use > > > > > > it > > > > for Samba's internal LDAP server. > > > > > > > > I've also investigated on how and where and how Samba stores domain > users > > > > passwords, but I have difficulties to track the update procedure... > Is > > > > there somewhere I could "intercept" or "get" the password or a usable > > > > > > hash > > > > from ? Sorry for my poor english, I'm basically speaking french, and > hope > > > > I've made myself clear... > > > > > > > > Thank you > > > > > > > > Fabien Toune > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > >
Lapin Blanc
2018-Mar-28 06:34 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
Hi ! I've followed your pointers and advice and made a small utility which can be used to sync G Suite passwords. I hope it will be useful to someone. Thanks again for the help and your great job, Fabien Toune https://github.com/Lapin-Blanc/samba_gsync 2018-03-22 22:37 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:> On Thu, 2018-03-22 at 21:15 +0100, Lapin Blanc via samba wrote: > > Hi Justin, > > > > Thank you for your answer, I had found this utility during my searches, > and > > will probably try it. As you say, reversible + plaintext is far for > optimal > > from a security point of view. > > Also, I would like to integrate the solution in a "packaged" distribution > > like for example Zentyal or UCS. > > But I'm happy to learn that this solution is viable, I wouldn't lose my > > time digging in that direction > > There is a better solution. Samba now stores a crypt() password hash > for exactly this purpose. > > Look into the password sync stuff metze did and use Samba 4.7 or above > and the virtualCryptSHA256 attribute. > > Then please patch samba4-gaps to use that please :-) > > Andrew Bartlett > > > 2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman@ > dignitastechnologies.com > > > : > > > Fabien, > > > > > > The way that we’ve accomplished this was to ensure that all users have > the > > > “Store passwords using reversible encryption” (which is not optimal) > and > > > use a utility called “samba4-gaps.” > > > > > > Also: > > > samba-tool domain passwordsettings set --store-plaintext=on > > > > > > Works perfectly. > > > > > > https://github.com/baboons/samba4-gaps > > > > > > Justin > > > > > > > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba < > > > > > > samba at lists.samba.org> wrote: > > > > > > > > I'm trying to have my Samba 4 AD DC users mapped and synchronized > with > > > > google apps for education accounts. > > > > I would like to start from the native windows password update > procedure > > > > > > to > > > > eventually update the google apps password (actually, I think only > some > > > > types of hashes are stored). > > > > > > > > Google actually provides a tool to synchronize user accounts and > profiles > > > > which works juste fine. This tools queries an LDAP directory, > extracts > > > > relevant informations and sync them with google apps. > > > > It would also synchronize passwords if there were in the LDAP > directory. > > > > Actually, if I manually set a "userPassword" attribute for a user, > using > > > > MD5 hash for example, synchronization works just fine and the google > apps > > > > account gets updated. > > > > > > > > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own > internal > > > > LDAP server and also a default Heimdal implementation of Kerberos, > also > > > > included in Samba. Thus, the password (or it's hash) doesn't get > stored > > > > > > in > > > > the LDAP directory (correct me if I'm wrong). > > > > > > > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change > LDAP, > > > > Samba and MIT > > > > Kerberos passwords at the same time. (Then the password hash would > end in > > > > the directory, where I could synchronized from). But I guess I can't > use > > > > > > it > > > > for Samba's internal LDAP server. > > > > > > > > I've also investigated on how and where and how Samba stores domain > users > > > > passwords, but I have difficulties to track the update procedure... > Is > > > > there somewhere I could "intercept" or "get" the password or a usable > > > > > > hash > > > > from ? Sorry for my poor english, I'm basically speaking french, and > hope > > > > I've made myself clear... > > > > > > > > Thank you > > > > > > > > Fabien Toune > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > >
Maybe Matching Threads
- Google Cloud Directory Service password synchronization for AD DC
- Google Cloud Directory Service password synchronization for AD DC
- Google Cloud Directory Service password synchronization for AD DC
- Google Cloud Directory Service password synchronization for AD DC
- Google Cloud Directory Service password synchronization for AD DC