samba - Mar 2018 - Google Cloud Directory Service password synchronization for AD DC

Hi Justin,

Thank you for your answer, I had found this utility during my searches, and
will probably try it. As you say, reversible + plaintext is far for optimal
from a security point of view.
Also, I would like to integrate the solution in a "packaged"
distribution
like for example Zentyal or UCS.
But I'm happy to learn that this solution is viable, I wouldn't lose my
time digging in that direction

2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman at
dignitastechnologies.com
>:
> Fabien,
>
> The way that we’ve accomplished this was to ensure that all users have the
> “Store passwords using reversible encryption” (which is not optimal) and
> use a utility called “samba4-gaps.”
>
> Also:
> samba-tool domain passwordsettings set --store-plaintext=on
>
> Works perfectly.
>
> https://github.com/baboons/samba4-gaps
>
> Justin
>
> > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba <
> samba at lists.samba.org> wrote:
> >
> > I'm trying to have my Samba 4 AD DC users mapped and synchronized
with
> > google apps for education accounts.
> > I would like to start from the native windows password update
procedure
> to
> > eventually update the google apps password (actually, I think only
some
> > types of hashes are stored).
> >
> > Google actually provides a tool to synchronize user accounts and
profiles
> > which works juste fine. This tools queries an LDAP directory, extracts
> > relevant informations and sync them with google apps.
> > It would also synchronize passwords if there were in the LDAP
directory.
> > Actually, if I manually set a "userPassword" attribute for a
user, using
> > MD5 hash for example, synchronization works just fine and the google
apps
> > account gets updated.
> >
> > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own
internal
> > LDAP server and also a default Heimdal implementation of Kerberos,
also
> > included in Samba. Thus, the password (or it's hash) doesn't
get stored
> in
> > the LDAP directory (correct me if I'm wrong).
> >
> > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change
LDAP,
> > Samba and MIT
> > Kerberos passwords at the same time. (Then the password hash would end
in
> > the directory, where I could synchronized from). But I guess I
can't use
> it
> > for Samba's internal LDAP server.
> >
> > I've also investigated on how and where and how Samba stores
domain users
> > passwords, but I have difficulties to track the update procedure... Is
> > there somewhere I could "intercept" or "get" the
password or a usable
> hash
> > from ? Sorry for my poor english, I'm basically speaking french,
and hope
> > I've made myself clear...
> >
> > Thank you
> >
> > Fabien Toune
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>

On Thu, 2018-03-22 at 21:15 +0100, Lapin Blanc via samba
wrote:
> Hi Justin,
> 
> Thank you for your answer, I had found this utility during my searches, and
> will probably try it. As you say, reversible + plaintext is far for optimal
> from a security point of view.
> Also, I would like to integrate the solution in a "packaged"
distribution
> like for example Zentyal or UCS.
> But I'm happy to learn that this solution is viable, I wouldn't
lose my
> time digging in that direction
There is a better solution.  Samba now stores a crypt() password hash
for exactly this purpose.

Look into the password sync stuff metze did and use Samba 4.7 or above
and the virtualCryptSHA256 attribute.

Then please patch samba4-gaps to use that please :-)

Andrew Bartlett
> 2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman at
dignitastechnologies.com
> > :
> > Fabien,
> > 
> > The way that we’ve accomplished this was to ensure that all users have
the
> > “Store passwords using reversible encryption” (which is not optimal)
and
> > use a utility called “samba4-gaps.”
> > 
> > Also:
> > samba-tool domain passwordsettings set --store-plaintext=on
> > 
> > Works perfectly.
> > 
> > https://github.com/baboons/samba4-gaps
> > 
> > Justin
> > 
> > > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba <
> > 
> > samba at lists.samba.org> wrote:
> > > 
> > > I'm trying to have my Samba 4 AD DC users mapped and
synchronized with
> > > google apps for education accounts.
> > > I would like to start from the native windows password update
procedure
> > 
> > to
> > > eventually update the google apps password (actually, I think
only some
> > > types of hashes are stored).
> > > 
> > > Google actually provides a tool to synchronize user accounts and
profiles
> > > which works juste fine. This tools queries an LDAP directory,
extracts
> > > relevant informations and sync them with google apps.
> > > It would also synchronize passwords if there were in the LDAP
directory.
> > > Actually, if I manually set a "userPassword" attribute
for a user, using
> > > MD5 hash for example, synchronization works just fine and the
google apps
> > > account gets updated.
> > > 
> > > Alas, if I get it right, Samba 4 acting as a AD DC uses it's
own internal
> > > LDAP server and also a default Heimdal implementation of
Kerberos, also
> > > included in Samba. Thus, the password (or it's hash)
doesn't get stored
> > 
> > in
> > > the LDAP directory (correct me if I'm wrong).
> > > 
> > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change
LDAP,
> > > Samba and MIT
> > > Kerberos passwords at the same time. (Then the password hash
would end in
> > > the directory, where I could synchronized from). But I guess I
can't use
> > 
> > it
> > > for Samba's internal LDAP server.
> > > 
> > > I've also investigated on how and where and how Samba stores
domain users
> > > passwords, but I have difficulties to track the update
procedure... Is
> > > there somewhere I could "intercept" or "get"
the password or a usable
> > 
> > hash
> > > from ? Sorry for my poor english, I'm basically speaking
french, and hope
> > > I've made myself clear...
> > > 
> > > Thank you
> > > 
> > > Fabien Toune
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

Hello, and thank you for the answer. I'm quite new to Samba, and when you
speak about  Samba storing a crypt() password hash and about the
virtualCryptSHA256 attribute I get the general meaning, but not the way to
get to those informations.
Would you have any pointer on where I could learn more about that ? I found
discussions about some patches from Stefan Metzmacher in the mailing lists,
is this what you mean ?
Google only accepts plain text, Base64, MD5 or SHA1, I don't know if
I'll
found a consensus
Btw, I'll keep trying and keep you informed...

Cheers

Fabien Toune


2018-03-22 22:37 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:
> On Thu, 2018-03-22 at 21:15 +0100, Lapin Blanc via samba wrote:
> > Hi Justin,
> >
> > Thank you for your answer, I had found this utility during my
searches,
> and
> > will probably try it. As you say, reversible + plaintext is far for
> optimal
> > from a security point of view.
> > Also, I would like to integrate the solution in a "packaged"
distribution
> > like for example Zentyal or UCS.
> > But I'm happy to learn that this solution is viable, I
wouldn't lose my
> > time digging in that direction
>
> There is a better solution.  Samba now stores a crypt() password hash
> for exactly this purpose.
>
> Look into the password sync stuff metze did and use Samba 4.7 or above
> and the virtualCryptSHA256 attribute.
>
> Then please patch samba4-gaps to use that please :-)
>
> Andrew Bartlett
>
> > 2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman@
> dignitastechnologies.com
> > > :
> > > Fabien,
> > >
> > > The way that we’ve accomplished this was to ensure that all users
have
> the
> > > “Store passwords using reversible encryption” (which is not
optimal)
> and
> > > use a utility called “samba4-gaps.”
> > >
> > > Also:
> > > samba-tool domain passwordsettings set --store-plaintext=on
> > >
> > > Works perfectly.
> > >
> > > https://github.com/baboons/samba4-gaps
> > >
> > > Justin
> > >
> > > > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba <
> > >
> > > samba at lists.samba.org> wrote:
> > > >
> > > > I'm trying to have my Samba 4 AD DC users mapped and
synchronized
> with
> > > > google apps for education accounts.
> > > > I would like to start from the native windows password
update
> procedure
> > >
> > > to
> > > > eventually update the google apps password (actually, I
think only
> some
> > > > types of hashes are stored).
> > > >
> > > > Google actually provides a tool to synchronize user accounts
and
> profiles
> > > > which works juste fine. This tools queries an LDAP
directory,
> extracts
> > > > relevant informations and sync them with google apps.
> > > > It would also synchronize passwords if there were in the
LDAP
> directory.
> > > > Actually, if I manually set a "userPassword"
attribute for a user,
> using
> > > > MD5 hash for example, synchronization works just fine and
the google
> apps
> > > > account gets updated.
> > > >
> > > > Alas, if I get it right, Samba 4 acting as a AD DC uses
it's own
> internal
> > > > LDAP server and also a default Heimdal implementation of
Kerberos,
> also
> > > > included in Samba. Thus, the password (or it's hash)
doesn't get
> stored
> > >
> > > in
> > > > the LDAP directory (correct me if I'm wrong).
> > > >
> > > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to
change
> LDAP,
> > > > Samba and MIT
> > > > Kerberos passwords at the same time. (Then the password hash
would
> end in
> > > > the directory, where I could synchronized from). But I guess
I can't
> use
> > >
> > > it
> > > > for Samba's internal LDAP server.
> > > >
> > > > I've also investigated on how and where and how Samba
stores domain
> users
> > > > passwords, but I have difficulties to track the update
procedure...
> Is
> > > > there somewhere I could "intercept" or
"get" the password or a usable
> > >
> > > hash
> > > > from ? Sorry for my poor english, I'm basically speaking
french, and
> hope
> > > > I've made myself clear...
> > > >
> > > > Thank you
> > > >
> > > > Fabien Toune
> > > > --
> > > > To unsubscribe from this list go to the following URL and
read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>

Hi ! I've followed your pointers and advice and made a small utility which
can be used to sync G Suite passwords. I hope it will be useful to
someone.
Thanks again for the help and your great job,
Fabien Toune

https://github.com/Lapin-Blanc/samba_gsync


2018-03-22 22:37 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:
> On Thu, 2018-03-22 at 21:15 +0100, Lapin Blanc via samba wrote:
> > Hi Justin,
> >
> > Thank you for your answer, I had found this utility during my
searches,
> and
> > will probably try it. As you say, reversible + plaintext is far for
> optimal
> > from a security point of view.
> > Also, I would like to integrate the solution in a "packaged"
distribution
> > like for example Zentyal or UCS.
> > But I'm happy to learn that this solution is viable, I
wouldn't lose my
> > time digging in that direction
>
> There is a better solution.  Samba now stores a crypt() password hash
> for exactly this purpose.
>
> Look into the password sync stuff metze did and use Samba 4.7 or above
> and the virtualCryptSHA256 attribute.
>
> Then please patch samba4-gaps to use that please :-)
>
> Andrew Bartlett
>
> > 2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman@
> dignitastechnologies.com
> > > :
> > > Fabien,
> > >
> > > The way that we’ve accomplished this was to ensure that all users
have
> the
> > > “Store passwords using reversible encryption” (which is not
optimal)
> and
> > > use a utility called “samba4-gaps.”
> > >
> > > Also:
> > > samba-tool domain passwordsettings set --store-plaintext=on
> > >
> > > Works perfectly.
> > >
> > > https://github.com/baboons/samba4-gaps
> > >
> > > Justin
> > >
> > > > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba <
> > >
> > > samba at lists.samba.org> wrote:
> > > >
> > > > I'm trying to have my Samba 4 AD DC users mapped and
synchronized
> with
> > > > google apps for education accounts.
> > > > I would like to start from the native windows password
update
> procedure
> > >
> > > to
> > > > eventually update the google apps password (actually, I
think only
> some
> > > > types of hashes are stored).
> > > >
> > > > Google actually provides a tool to synchronize user accounts
and
> profiles
> > > > which works juste fine. This tools queries an LDAP
directory,
> extracts
> > > > relevant informations and sync them with google apps.
> > > > It would also synchronize passwords if there were in the
LDAP
> directory.
> > > > Actually, if I manually set a "userPassword"
attribute for a user,
> using
> > > > MD5 hash for example, synchronization works just fine and
the google
> apps
> > > > account gets updated.
> > > >
> > > > Alas, if I get it right, Samba 4 acting as a AD DC uses
it's own
> internal
> > > > LDAP server and also a default Heimdal implementation of
Kerberos,
> also
> > > > included in Samba. Thus, the password (or it's hash)
doesn't get
> stored
> > >
> > > in
> > > > the LDAP directory (correct me if I'm wrong).
> > > >
> > > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to
change
> LDAP,
> > > > Samba and MIT
> > > > Kerberos passwords at the same time. (Then the password hash
would
> end in
> > > > the directory, where I could synchronized from). But I guess
I can't
> use
> > >
> > > it
> > > > for Samba's internal LDAP server.
> > > >
> > > > I've also investigated on how and where and how Samba
stores domain
> users
> > > > passwords, but I have difficulties to track the update
procedure...
> Is
> > > > there somewhere I could "intercept" or
"get" the password or a usable
> > >
> > > hash
> > > > from ? Sorry for my poor english, I'm basically speaking
french, and
> hope
> > > > I've made myself clear...
> > > >
> > > > Thank you
> > > >
> > > > Fabien Toune
> > > > --
> > > > To unsubscribe from this list go to the following URL and
read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>