samba - Mar 2018 - Google Cloud Directory Service password synchronization for AD DC

I'm trying to have my Samba 4 AD DC users mapped and synchronized with
google apps for education accounts.
I would like to start from the native windows password update procedure to
eventually update the google apps password (actually, I think only some
types of hashes are stored).

Google actually provides a tool to synchronize user accounts and profiles
which works juste fine. This tools queries an LDAP directory, extracts
relevant informations and sync them with google apps.
It would also synchronize passwords if there were in the LDAP directory.
Actually, if I manually set a "userPassword" attribute for a user,
using
MD5 hash for example, synchronization works just fine and the google apps
account gets updated.

Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal
LDAP server and also a default Heimdal implementation of Kerberos, also
included in Samba. Thus, the password (or it's hash) doesn't get stored
in
the LDAP directory (correct me if I'm wrong).

I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP,
Samba and MIT
Kerberos passwords at the same time. (Then the password hash would end in
the directory, where I could synchronized from). But I guess I can't use it
for Samba's internal LDAP server.

I've also investigated on how and where and how Samba stores domain users
passwords, but I have difficulties to track the update procedure... Is
there somewhere I could "intercept" or "get" the password or
a usable hash
from ? Sorry for my poor english, I'm basically speaking french, and hope
I've made myself clear...

Thank you

Fabien Toune

Fabien,

The way that we’ve accomplished this was to ensure that all users have the
“Store passwords using reversible encryption” (which is not optimal) and use a
utility called “samba4-gaps.”

Also:
samba-tool domain passwordsettings set --store-plaintext=on

Works perfectly.

https://github.com/baboons/samba4-gaps

Justin
> On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba <samba at
lists.samba.org> wrote:
> 
> I'm trying to have my Samba 4 AD DC users mapped and synchronized with
> google apps for education accounts.
> I would like to start from the native windows password update procedure to
> eventually update the google apps password (actually, I think only some
> types of hashes are stored).
> 
> Google actually provides a tool to synchronize user accounts and profiles
> which works juste fine. This tools queries an LDAP directory, extracts
> relevant informations and sync them with google apps.
> It would also synchronize passwords if there were in the LDAP directory.
> Actually, if I manually set a "userPassword" attribute for a
user, using
> MD5 hash for example, synchronization works just fine and the google apps
> account gets updated.
> 
> Alas, if I get it right, Samba 4 acting as a AD DC uses it's own
internal
> LDAP server and also a default Heimdal implementation of Kerberos, also
> included in Samba. Thus, the password (or it's hash) doesn't get
stored in
> the LDAP directory (correct me if I'm wrong).
> 
> I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP,
> Samba and MIT
> Kerberos passwords at the same time. (Then the password hash would end in
> the directory, where I could synchronized from). But I guess I can't
use it
> for Samba's internal LDAP server.
> 
> I've also investigated on how and where and how Samba stores domain
users
> passwords, but I have difficulties to track the update procedure... Is
> there somewhere I could "intercept" or "get" the
password or a usable hash
> from ? Sorry for my poor english, I'm basically speaking french, and
hope
> I've made myself clear...
> 
> Thank you
> 
> Fabien Toune
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi Justin,

Thank you for your answer, I had found this utility during my searches, and
will probably try it. As you say, reversible + plaintext is far for optimal
from a security point of view.
Also, I would like to integrate the solution in a "packaged"
distribution
like for example Zentyal or UCS.
But I'm happy to learn that this solution is viable, I wouldn't lose my
time digging in that direction

2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman at
dignitastechnologies.com
>:
> Fabien,
>
> The way that we’ve accomplished this was to ensure that all users have the
> “Store passwords using reversible encryption” (which is not optimal) and
> use a utility called “samba4-gaps.”
>
> Also:
> samba-tool domain passwordsettings set --store-plaintext=on
>
> Works perfectly.
>
> https://github.com/baboons/samba4-gaps
>
> Justin
>
> > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba <
> samba at lists.samba.org> wrote:
> >
> > I'm trying to have my Samba 4 AD DC users mapped and synchronized
with
> > google apps for education accounts.
> > I would like to start from the native windows password update
procedure
> to
> > eventually update the google apps password (actually, I think only
some
> > types of hashes are stored).
> >
> > Google actually provides a tool to synchronize user accounts and
profiles
> > which works juste fine. This tools queries an LDAP directory, extracts
> > relevant informations and sync them with google apps.
> > It would also synchronize passwords if there were in the LDAP
directory.
> > Actually, if I manually set a "userPassword" attribute for a
user, using
> > MD5 hash for example, synchronization works just fine and the google
apps
> > account gets updated.
> >
> > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own
internal
> > LDAP server and also a default Heimdal implementation of Kerberos,
also
> > included in Samba. Thus, the password (or it's hash) doesn't
get stored
> in
> > the LDAP directory (correct me if I'm wrong).
> >
> > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change
LDAP,
> > Samba and MIT
> > Kerberos passwords at the same time. (Then the password hash would end
in
> > the directory, where I could synchronized from). But I guess I
can't use
> it
> > for Samba's internal LDAP server.
> >
> > I've also investigated on how and where and how Samba stores
domain users
> > passwords, but I have difficulties to track the update procedure... Is
> > there somewhere I could "intercept" or "get" the
password or a usable
> hash
> > from ? Sorry for my poor english, I'm basically speaking french,
and hope
> > I've made myself clear...
> >
> > Thank you
> >
> > Fabien Toune
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>

Hi,

If you look at both:

samba-tool user getpassword --help
samba-tool user syncpasswords --help

You may be able to find the information that you're looking for. Samba
does store all the hashes in the LDAP directory, but you have to
normally access them directly from the system (not over LDAP). You
should also note that our Kerberos server reads and updates the password
stored in the directory. You can access the standard unicodePwd with the
NTHASH, but we also additionally generate a number of hashes following
the Windows WDigest schemes as well as OpenLDAP-type hashes (configured
in the smb.conf, more details
https://www.samba.org/samba/history/samba-4.7.0.html). Alternatively
there's also gpg-encrypted access to plaintext passwords, but if you
really want to avoid plaintext, then looking at the other methods would
be ideal.

In theory, this is all supposed to work. I don't think we have any real
documentation on the wiki for assisting people, but we could probably do
with one.

Cheers,

Garming

On 23/03/18 08:58, Lapin Blanc via samba wrote:
>  I'm trying to have my Samba 4 AD DC users mapped and synchronized with
> google apps for education accounts.
> I would like to start from the native windows password update procedure to
> eventually update the google apps password (actually, I think only some
> types of hashes are stored).
>
> Google actually provides a tool to synchronize user accounts and profiles
> which works juste fine. This tools queries an LDAP directory, extracts
> relevant informations and sync them with google apps.
> It would also synchronize passwords if there were in the LDAP directory.
> Actually, if I manually set a "userPassword" attribute for a
user, using
> MD5 hash for example, synchronization works just fine and the google apps
> account gets updated.
>
> Alas, if I get it right, Samba 4 acting as a AD DC uses it's own
internal
> LDAP server and also a default Heimdal implementation of Kerberos, also
> included in Samba. Thus, the password (or it's hash) doesn't get
stored in
> the LDAP directory (correct me if I'm wrong).
>
> I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP,
> Samba and MIT
> Kerberos passwords at the same time. (Then the password hash would end in
> the directory, where I could synchronized from). But I guess I can't
use it
> for Samba's internal LDAP server.
>
> I've also investigated on how and where and how Samba stores domain
users
> passwords, but I have difficulties to track the update procedure... Is
> there somewhere I could "intercept" or "get" the
password or a usable hash
> from ? Sorry for my poor english, I'm basically speaking french, and
hope
> I've made myself clear...
>
> Thank you
>
> Fabien Toune

Thank you very much for this help. I'll dig deeper into your suggestion.
I'm new to samba, trying to catch up as fast as I can ;-)
As google only accepts plain text, Base64, MD5 or SHA1, I'll probably look
for OpenLDAP-type hashes.

I'll read as many samba doc as I can and dig for technical informations on
how to get there

Cheers,

Fabien

2018-03-22 21:55 GMT+01:00 Garming Sam <garming at catalyst.net.nz>:
> Hi,
>
> If you look at both:
>
> samba-tool user getpassword --help
> samba-tool user syncpasswords --help
>
> You may be able to find the information that you're looking for. Samba
> does store all the hashes in the LDAP directory, but you have to
> normally access them directly from the system (not over LDAP). You
> should also note that our Kerberos server reads and updates the password
> stored in the directory. You can access the standard unicodePwd with the
> NTHASH, but we also additionally generate a number of hashes following
> the Windows WDigest schemes as well as OpenLDAP-type hashes (configured
> in the smb.conf, more details
> https://www.samba.org/samba/history/samba-4.7.0.html). Alternatively
> there's also gpg-encrypted access to plaintext passwords, but if you
> really want to avoid plaintext, then looking at the other methods would
> be ideal.
>
> In theory, this is all supposed to work. I don't think we have any real
> documentation on the wiki for assisting people, but we could probably do
> with one.
>
> Cheers,
>
> Garming
>
> On 23/03/18 08:58, Lapin Blanc via samba wrote:
> >  I'm trying to have my Samba 4 AD DC users mapped and synchronized
with
> > google apps for education accounts.
> > I would like to start from the native windows password update
procedure
> to
> > eventually update the google apps password (actually, I think only
some
> > types of hashes are stored).
> >
> > Google actually provides a tool to synchronize user accounts and
profiles
> > which works juste fine. This tools queries an LDAP directory, extracts
> > relevant informations and sync them with google apps.
> > It would also synchronize passwords if there were in the LDAP
directory.
> > Actually, if I manually set a "userPassword" attribute for a
user, using
> > MD5 hash for example, synchronization works just fine and the google
apps
> > account gets updated.
> >
> > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own
internal
> > LDAP server and also a default Heimdal implementation of Kerberos,
also
> > included in Samba. Thus, the password (or it's hash) doesn't
get stored
> in
> > the LDAP directory (correct me if I'm wrong).
> >
> > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change
LDAP,
> > Samba and MIT
> > Kerberos passwords at the same time. (Then the password hash would end
in
> > the directory, where I could synchronized from). But I guess I
can't use
> it
> > for Samba's internal LDAP server.
> >
> > I've also investigated on how and where and how Samba stores
domain users
> > passwords, but I have difficulties to track the update procedure... Is
> > there somewhere I could "intercept" or "get" the
password or a usable
> hash
> > from ? Sorry for my poor english, I'm basically speaking french,
and hope
> > I've made myself clear...
> >
> > Thank you
> >
> > Fabien Toune
>
>