Lapin Blanc
2018-Mar-22 22:48 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
Hello, and thank you for the answer. I'm quite new to Samba, and when you speak about Samba storing a crypt() password hash and about the virtualCryptSHA256 attribute I get the general meaning, but not the way to get to those informations. Would you have any pointer on where I could learn more about that ? I found discussions about some patches from Stefan Metzmacher in the mailing lists, is this what you mean ? Google only accepts plain text, Base64, MD5 or SHA1, I don't know if I'll found a consensus Btw, I'll keep trying and keep you informed... Cheers Fabien Toune 2018-03-22 22:37 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:> On Thu, 2018-03-22 at 21:15 +0100, Lapin Blanc via samba wrote: > > Hi Justin, > > > > Thank you for your answer, I had found this utility during my searches, > and > > will probably try it. As you say, reversible + plaintext is far for > optimal > > from a security point of view. > > Also, I would like to integrate the solution in a "packaged" distribution > > like for example Zentyal or UCS. > > But I'm happy to learn that this solution is viable, I wouldn't lose my > > time digging in that direction > > There is a better solution. Samba now stores a crypt() password hash > for exactly this purpose. > > Look into the password sync stuff metze did and use Samba 4.7 or above > and the virtualCryptSHA256 attribute. > > Then please patch samba4-gaps to use that please :-) > > Andrew Bartlett > > > 2018-03-22 21:05 GMT+01:00 Justin Foreman <jforeman@ > dignitastechnologies.com > > > : > > > Fabien, > > > > > > The way that we’ve accomplished this was to ensure that all users have > the > > > “Store passwords using reversible encryption” (which is not optimal) > and > > > use a utility called “samba4-gaps.” > > > > > > Also: > > > samba-tool domain passwordsettings set --store-plaintext=on > > > > > > Works perfectly. > > > > > > https://github.com/baboons/samba4-gaps > > > > > > Justin > > > > > > > On Mar 22, 2018, at 3:58 PM, Lapin Blanc via samba < > > > > > > samba at lists.samba.org> wrote: > > > > > > > > I'm trying to have my Samba 4 AD DC users mapped and synchronized > with > > > > google apps for education accounts. > > > > I would like to start from the native windows password update > procedure > > > > > > to > > > > eventually update the google apps password (actually, I think only > some > > > > types of hashes are stored). > > > > > > > > Google actually provides a tool to synchronize user accounts and > profiles > > > > which works juste fine. This tools queries an LDAP directory, > extracts > > > > relevant informations and sync them with google apps. > > > > It would also synchronize passwords if there were in the LDAP > directory. > > > > Actually, if I manually set a "userPassword" attribute for a user, > using > > > > MD5 hash for example, synchronization works just fine and the google > apps > > > > account gets updated. > > > > > > > > Alas, if I get it right, Samba 4 acting as a AD DC uses it's own > internal > > > > LDAP server and also a default Heimdal implementation of Kerberos, > also > > > > included in Samba. Thus, the password (or it's hash) doesn't get > stored > > > > > > in > > > > the LDAP directory (correct me if I'm wrong). > > > > > > > > I found smbkrb5pwd which is an OpenLDAP (slapd) overlay to change > LDAP, > > > > Samba and MIT > > > > Kerberos passwords at the same time. (Then the password hash would > end in > > > > the directory, where I could synchronized from). But I guess I can't > use > > > > > > it > > > > for Samba's internal LDAP server. > > > > > > > > I've also investigated on how and where and how Samba stores domain > users > > > > passwords, but I have difficulties to track the update procedure... > Is > > > > there somewhere I could "intercept" or "get" the password or a usable > > > > > > hash > > > > from ? Sorry for my poor english, I'm basically speaking french, and > hope > > > > I've made myself clear... > > > > > > > > Thank you > > > > > > > > Fabien Toune > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > >
Andrew Bartlett
2018-Mar-22 23:31 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
On Thu, 2018-03-22 at 23:48 +0100, Lapin Blanc via samba wrote:> Hello, and thank you for the answer. I'm quite new to Samba, and when you > speak about Samba storing a crypt() password hash and about the > virtualCryptSHA256 attribute I get the general meaning, but not the way to > get to those informations. > Would you have any pointer on where I could learn more about that ? I found > discussions about some patches from Stefan Metzmacher in the mailing lists, > is this what you mean ? > Google only accepts plain text, Base64, MD5 or SHA1, I don't know if I'll > found a consensus > Btw, I'll keep trying and keep you informed...See this for crypt() support: https://developers.google.com/admin-sdk/directory/v1/reference/users/up date#hashFunction Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Lapin Blanc
2018-Mar-25 19:19 UTC
[Samba] Google Cloud Directory Service password synchronization for AD DC
Hello again, and thank you so much for those valuable information, I'm progressing well. Google accepts crypt hashes, and I've managed with Garming's advice to get hashes when passwords get updated. I've only one small question at this point, the hash seems to be printed spanned on two lines, with a line break and a few spaces in the middle of the hash... Is this normal ? eg : INFO : dn: CN=pierre,CN=Users,DC=educonsult,DC=intra INFO : objectGUID: 9838c793-67f3-4e68-b362-f939e517313e INFO : objectSid: S-1-5-21-1504766521-268068577-265870750-1104 INFO : sAMAccountName: pierre INFO : userAccountControl: 512 INFO : pwdLastSet: 131664785101680280 INFO : msDS-KeyVersionNumber: 4 INFO : virtualCryptSHA512: {CRYPT}$6$3WZAFpbFo5J6n2rS$tmDWcZEkgO5e89c5yBnyEYWamNi40CI INFO : 32FermFcq3VweLGmR2qfsdjxbs0RiYJ6jrvWzlpIMDJMI1fSg8923t0 INFO : Thank's ! 2018-03-23 0:31 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:> On Thu, 2018-03-22 at 23:48 +0100, Lapin Blanc via samba wrote: > > Hello, and thank you for the answer. I'm quite new to Samba, and when you > > speak about Samba storing a crypt() password hash and about the > > virtualCryptSHA256 attribute I get the general meaning, but not the way > to > > get to those informations. > > Would you have any pointer on where I could learn more about that ? I > found > > discussions about some patches from Stefan Metzmacher in the mailing > lists, > > is this what you mean ? > > Google only accepts plain text, Base64, MD5 or SHA1, I don't know if I'll > > found a consensus > > Btw, I'll keep trying and keep you informed... > > See this for crypt() support: > https://developers.google.com/admin-sdk/directory/v1/reference/users/up > date#hashFunction > > Thanks, > > Andrew Bartlett > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > >