Konstantin Boyandin
2018-Sep-18 08:10 UTC
[Samba] Syncing password change across NT4 and AD domains
Hello, Thanks to the assistance from Samba devs, I managed to upgrade existing Samba 3 (NT4) domain to Samba 4 (they are co-existing in the same network, while services/computers are being migrated to AD). The sequence of actions was - run "classic upgrade" against local OpenLDAP-based replica of existing NT4 domain - extract from Samba 3 domain LDAP dump Posix attributes for users (required to log on to Unix systems) - import the mentioned LDIF containing extracted attributes into AD (with ldbmodify) - set up authentication at Linux servers via Kerberos 5 (+ LDAP to get user Posix attributes) (in case someone could use details, I can post elsewhere my working notes) There's a small task remaining, save switching other services to authentication against Samba 4: syncing users passwords. On Samba 4, as far as I understand, non-root users change their AD passwords via "smbpasswd". On Samba 3 setup we use "smbldap-passwd" utility. Question: how do I sync passwords, to avoid, when possible, changing passwords on both domains for the duration of migration period? Ugly approach would be to get user's input at smbldap-passwd and pass it to "samba-tool" on Samba 4 DC, to change the password for the same user. Is there something less ugly and without obvious security issues? Thanks. Sincerely, Konstantin
Marco Gaiarin
2018-Sep-18 09:13 UTC
[Samba] Syncing password change across NT4 and AD domains
Mandi! Konstantin Boyandin via samba In chel di` si favelave...> On Samba 4, as far as I understand, non-root users change their AD passwords > via "smbpasswd". > On Samba 3 setup we use "smbldap-passwd" utility.If smb.conf is configured correctly (the various 'script'), you can use 'smbpasswd' in both.> Is there something less ugly and without obvious security issues?In NT domain you can wrap something around 'check password script'; in AD domain, you can also wrap something around 'samba-tool user syncpassword'. Lokk at: https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP for examples. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Reasonably Related Threads
- Windows 10 temporary profile error, when domain remote profile directory exists and is empty
- Password change question/2: 'syncpassword' suffices on *ONE* DC?
- 'check password script' timeout, diferences between AD and NT mode?
- syncpasswords/getpassword: some examples, please...
- syncpassword and (strange) base64...