Hi, I'm trying to synchronize user accounts from LDAP to Samba 4 AD (using LSC) but it seems that password update through ldap is not allowed. I failed to find details about it, but can someone confirm that unicodePwd cannot be read / wrote trough a LDAPS connection ? Is there any workaround ? Regards. -- Sébastien BEAUDLOT Université d'Avignon et des Pays de Vaucluse - France --
On Thu, 27 Sep 2018 12:30:38 +0200 (CEST) Sebastien BEAUDLOT via samba <samba at lists.samba.org> wrote:> Hi, > > I'm trying to synchronize user accounts from LDAP to Samba 4 AD > (using LSC) but it seems that password update through ldap is not > allowed. > > I failed to find details about it, but can someone confirm that > unicodePwd cannot be read / wrote trough a LDAPS connection ? Is > there any workaround ? > > Regards. >No you cannot read the unicode password over the wire, but there is always samba-tool ;-) read 'samba-tool user syncpasswords --help' Rowland
Thank you. "syncpasswords" seems useful to push passwords from Samba to something. I need to do it the other way : push passwords from OpenLDAP to Samba. -- Sébastien BEAUDLOT Université d'Avignon et des Pays de Vaucluse -- ----- Mail original ----- De: "samba" <samba at lists.samba.org> À: "samba" <samba at lists.samba.org> Envoyé: Jeudi 27 Septembre 2018 13:05:41 Objet: Re: [Samba] Synchronizing passwords to Samba 4 On Thu, 27 Sep 2018 12:30:38 +0200 (CEST) Sebastien BEAUDLOT via samba <samba at lists.samba.org> wrote:> Hi, > > I'm trying to synchronize user accounts from LDAP to Samba 4 AD > (using LSC) but it seems that password update through ldap is not > allowed. > > I failed to find details about it, but can someone confirm that > unicodePwd cannot be read / wrote trough a LDAPS connection ? Is > there any workaround ? > > Regards. >No you cannot read the unicode password over the wire, but there is always samba-tool ;-) read 'samba-tool user syncpasswords --help' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Thu, 2018-09-27 at 12:30 +0200, Sebastien BEAUDLOT via samba wrote:> Hi, > > I'm trying to synchronize user accounts from LDAP to Samba 4 AD > (using LSC) but it seems that password update through ldap is not > allowed. > > I failed to find details about it, but can someone confirm that > unicodePwd cannot be read / wrote trough a LDAPS connection ? > Is there any workaround ?What type of password do you have? A hash of some kind, the plaintext? An administrative password reset is possible over LDAP using unicodePwd and userPassword (if configured), if you have the plaintext. Injecting hashes is harder, requires local DB access and needs more care. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Sébastien,>> I'm trying to synchronize user accounts from LDAP to Samba 4 AD >> (using LSC) but it seems that password update through ldap is not >> allowed. >> >> I failed to find details about it, but can someone confirm that >> unicodePwd cannot be read / wrote trough a LDAPS connection ? Is >> there any workaround ?The unicodePwd attribute is not used by AD. Active Directory use multiple kerberos hashes with different encryption type and a NTLM hash and they are store in the supplementalCredentials attribute (which is neither readable of writable directly through LDAP). If you want to pipe a password hash from an OpenLDAP to a Samba-AD, the only solution is to have the NTLM hash and use the pdbedit --set-nt-hash command line on the domain controller. It will store the NTLM hash and create a derivative kerberos hash from that NTLM hash. Another solution is to use a webgui for password change and change the password both in OpenLDAP and Samba-AD from that webgui script. If it is possible to let Samba-AD handle all password change, then you can ask Samba to create different password hashes when someone changes its password from its Windows workstation. Then you can pipe the hashes in OpenLDAP from the Samba-AD. Cheers, Denis>> >> Regards. >> > > No you cannot read the unicode password over the wire, but there is > always samba-tool ;-) > > read 'samba-tool user syncpasswords --help' > > Rowland >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil.it Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr