Lapin Blanc
2018-Mar-22 19:58 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
I'm trying to have my Samba 4 AD DC users mapped and synchronized with google apps for education accounts. I would like to start from the native windows password update procedure to eventually update the google apps password (actually, I think only some types of hashes are stored). Google actually provides a tool to synchronize user accounts and profiles which works juste fine. This tools queries an LDAP directory, extracts relevant informations and sync them with google apps. It would also synchronize passwords if there were in the LDAP directory. Actually, if I manually set a "userPassword" attribute for a user, using MD5 hash for example, synchronization works just fine and the google apps account gets updated. Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal LDAP server and also a default Heimdal implementation of Kerberos, also included in Samba. Thus, the password (or it's hash) doesn't get stored in the LDAP directory (correct me if I'm wrong). I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP, Samba and MIT Kerberos passwords at the same time. (Then the password hash would end in the directory, where I could synchronized from). But I guess I can't use it for Samba's internal LDAP server. I've also investigated on how and where and how Samba stores domain users passwords, but I have difficulties to track the update procedure... Is there somewhere I could "intercept" or "get" the password or a usable hash from ? Sorry for my poor english, I'm basically speaking french, and hope I've made myself clear... Thank you Fabien Toune
Justin Foreman
2018-Mar-22 20:05 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
Fabien, The way that we’ve accomplished this was to ensure that all users have the “Store passwords using reversible encryption” (which is not optimal) and use a utility called “samba4-gaps.” Also: samba-tool domain passwordsettings set --store-plaintext=on Works perfectly. https://github.com/baboons/samba4-gaps Justin> On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba <samba at lists.samba.org> wrote: > > I'm trying to have my Samba 4 AD DC users mapped and synchronized with > google apps for education accounts. > I would like to start from the native windows password update procedure to > eventually update the google apps password (actually, I think only some > types of hashes are stored). > > Google actually provides a tool to synchronize user accounts and profiles > which works juste fine. This tools queries an LDAP directory, extracts > relevant informations and sync them with google apps. > It would also synchronize passwords if there were in the LDAP directory. > Actually, if I manually set a "userPassword" attribute for a user, using > MD5 hash for example, synchronization works just fine and the google apps > account gets updated. > > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal > LDAP server and also a default Heimdal implementation of Kerberos, also > included in Samba. Thus, the password (or it's hash) doesn't get stored in > the LDAP directory (correct me if I'm wrong). > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP, > Samba and MIT > Kerberos passwords at the same time. (Then the password hash would end in > the directory, where I could synchronized from). But I guess I can't use it > for Samba's internal LDAP server. > > I've also investigated on how and where and how Samba stores domain users > passwords, but I have difficulties to track the update procedure... Is > there somewhere I could "intercept" or "get" the password or a usable hash > from ? Sorry for my poor english, I'm basically speaking french, and hope > I've made myself clear... > > Thank you > > Fabien Toune > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Lapin Blanc
2018-Mar-22 20:15 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
Hi Justin, Thank you for your answer, I had found this utility during my searches, and will probably try it. As you say, reversible + plaintext is far for optimal from a security point of view. Also, I would like to integrate the solution in a "packaged" distribution like for example Zentyal or UCS. But I'm happy to learn that this solution is viable, I wouldn't lose my time digging in that direction 2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman at dignitastechnologies.com>:> Fabien, > > The way that we’ve accomplished this was to ensure that all users have the > “Store passwords using reversible encryption” (which is not optimal) and > use a utility called “samba4-gaps.” > > Also: > samba-tool domain passwordsettings set --store-plaintext=on > > Works perfectly. > > https://github.com/baboons/samba4-gaps > > Justin > > > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba < > samba at lists.samba.org> wrote: > > > > I'm trying to have my Samba 4 AD DC users mapped and synchronized with > > google apps for education accounts. > > I would like to start from the native windows password update procedure > to > > eventually update the google apps password (actually, I think only some > > types of hashes are stored). > > > > Google actually provides a tool to synchronize user accounts and profiles > > which works juste fine. This tools queries an LDAP directory, extracts > > relevant informations and sync them with google apps. > > It would also synchronize passwords if there were in the LDAP directory. > > Actually, if I manually set a "userPassword" attribute for a user, using > > MD5 hash for example, synchronization works just fine and the google apps > > account gets updated. > > > > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal > > LDAP server and also a default Heimdal implementation of Kerberos, also > > included in Samba. Thus, the password (or it's hash) doesn't get stored > in > > the LDAP directory (correct me if I'm wrong). > > > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP, > > Samba and MIT > > Kerberos passwords at the same time. (Then the password hash would end in > > the directory, where I could synchronized from). But I guess I can't use > it > > for Samba's internal LDAP server. > > > > I've also investigated on how and where and how Samba stores domain users > > passwords, but I have difficulties to track the update procedure... Is > > there somewhere I could "intercept" or "get" the password or a usable > hash > > from ? Sorry for my poor english, I'm basically speaking french, and hope > > I've made myself clear... > > > > Thank you > > > > Fabien Toune > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >
Garming Sam
2018-Mar-22 20:55 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
Hi, If you look at both: samba-tool user getpassword --help samba-tool user syncpasswords --help You may be able to find the information that you're looking for. Samba does store all the hashes in the LDAP directory, but you have to normally access them directly from the system (not over LDAP). You should also note that our Kerberos server reads and updates the password stored in the directory. You can access the standard unicodePwd with the NTHASH, but we also additionally generate a number of hashes following the Windows WDigest schemes as well as OpenLDAP-type hashes (configured in the smb.conf, more details https://www.samba.org/samba/history/samba-4.7.0.html). Alternatively there's also gpg-encrypted access to plaintext passwords, but if you really want to avoid plaintext, then looking at the other methods would be ideal. In theory, this is all supposed to work. I don't think we have any real documentation on the wiki for assisting people, but we could probably do with one. Cheers, Garming On 23/03/18 08:58, Lapin Blanc via samba wrote:> I'm trying to have my Samba 4 AD DC users mapped and synchronized with > google apps for education accounts. > I would like to start from the native windows password update procedure to > eventually update the google apps password (actually, I think only some > types of hashes are stored). > > Google actually provides a tool to synchronize user accounts and profiles > which works juste fine. This tools queries an LDAP directory, extracts > relevant informations and sync them with google apps. > It would also synchronize passwords if there were in the LDAP directory. > Actually, if I manually set a "userPassword" attribute for a user, using > MD5 hash for example, synchronization works just fine and the google apps > account gets updated. > > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal > LDAP server and also a default Heimdal implementation of Kerberos, also > included in Samba. Thus, the password (or it's hash) doesn't get stored in > the LDAP directory (correct me if I'm wrong). > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP, > Samba and MIT > Kerberos passwords at the same time. (Then the password hash would end in > the directory, where I could synchronized from). But I guess I can't use it > for Samba's internal LDAP server. > > I've also investigated on how and where and how Samba stores domain users > passwords, but I have difficulties to track the update procedure... Is > there somewhere I could "intercept" or "get" the password or a usable hash > from ? Sorry for my poor english, I'm basically speaking french, and hope > I've made myself clear... > > Thank you > > Fabien Toune
Lapin Blanc
2018-Mar-22 22:39 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
Thank you very much for this help. I'll dig deeper into your suggestion. I'm new to samba, trying to catch up as fast as I can ;-) As google only accepts plain text, Base64, MD5 or SHA1, I'll probably look for OpenLDAP-type hashes. I'll read as many samba doc as I can and dig for technical informations on how to get there Cheers, Fabien 2018-03-22 21:55 GMT+01:00 Garming Sam <garming at catalyst.net.nz>:> Hi, > > If you look at both: > > samba-tool user getpassword --help > samba-tool user syncpasswords --help > > You may be able to find the information that you're looking for. Samba > does store all the hashes in the LDAP directory, but you have to > normally access them directly from the system (not over LDAP). You > should also note that our Kerberos server reads and updates the password > stored in the directory. You can access the standard unicodePwd with the > NTHASH, but we also additionally generate a number of hashes following > the Windows WDigest schemes as well as OpenLDAP-type hashes (configured > in the smb.conf, more details > https://www.samba.org/samba/history/samba-4.7.0.html). Alternatively > there's also gpg-encrypted access to plaintext passwords, but if you > really want to avoid plaintext, then looking at the other methods would > be ideal. > > In theory, this is all supposed to work. I don't think we have any real > documentation on the wiki for assisting people, but we could probably do > with one. > > Cheers, > > Garming > > On 23/03/18 08:58, Lapin Blanc via samba wrote: > > I'm trying to have my Samba 4 AD DC users mapped and synchronized with > > google apps for education accounts. > > I would like to start from the native windows password update procedure > to > > eventually update the google apps password (actually, I think only some > > types of hashes are stored). > > > > Google actually provides a tool to synchronize user accounts and profiles > > which works juste fine. This tools queries an LDAP directory, extracts > > relevant informations and sync them with google apps. > > It would also synchronize passwords if there were in the LDAP directory. > > Actually, if I manually set a "userPassword" attribute for a user, using > > MD5 hash for example, synchronization works just fine and the google apps > > account gets updated. > > > > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own internal > > LDAP server and also a default Heimdal implementation of Kerberos, also > > included in Samba. Thus, the password (or it's hash) doesn't get stored > in > > the LDAP directory (correct me if I'm wrong). > > > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change LDAP, > > Samba and MIT > > Kerberos passwords at the same time. (Then the password hash would end in > > the directory, where I could synchronized from). But I guess I can't use > it > > for Samba's internal LDAP server. > > > > I've also investigated on how and where and how Samba stores domain users > > passwords, but I have difficulties to track the update procedure... Is > > there somewhere I could "intercept" or "get" the password or a usable > hash > > from ? Sorry for my poor english, I'm basically speaking french, and hope > > I've made myself clear... > > > > Thank you > > > > Fabien Toune > >
Seemingly Similar Threads
- Google Cloud Directory Service password synchronization for AD DC
- Google Cloud Directory Service password synchronization for AD DC
- Google Cloud Directory Service password synchronization for AD DC
- Google Cloud Directory Service password synchronization for AD DC
- Google Cloud Directory Service password synchronization for AD DC