samba - Sep 2019 - Set a temporary password on user accounts (samba4)

Hi there.

I'm looking for a way to temporarily change password for some users.

I have a samba4 install in DC mode (running samba 4.8.3), everything is
working fine. I'm now migrating an email system which will use samba4
auth (Zimbra, but doesn't matter here).

I'd like to set a temp password, so I can migrate imap trees with
imapsync or similar, then, when everything is done, restore the previous
password of the users (without forcing them to reset it)

I've red this thread :
https://lists.samba.org/archive/samba/2017-April/207637.html. So, it
should be possible to backup the unicodePwd attr, then restore it and
wipe supplementalCredentials. But, I'd prefer being able to generate AES
kerb tickets (as users do not change their password often)

Can I backup the whole user entry, and restore it later ? Or just a set
of attributes ? Only supplementalCredentials and unicodePwd are enough ?

In the SMB 3 days, I could just backup hashes from /etc/shadow and
/etc/smb/smbpasswd (or OpenLDAP depending on the backend) and then
restore them, it was easy.


Cheers,

Daniel

On 05/09/2019 08:37, Daniel Berteaud via samba wrote:
> Hi there.
>
> I'm looking for a way to temporarily change password for some users.
>
> I have a samba4 install in DC mode (running samba 4.8.3), everything is
> working fine. I'm now migrating an email system which will use samba4
> auth (Zimbra, but doesn't matter here).
>
> I'd like to set a temp password, so I can migrate imap trees with
> imapsync or similar, then, when everything is done, restore the previous
> password of the users (without forcing them to reset it)
>
> I've red this thread :
> https://lists.samba.org/archive/samba/2017-April/207637.html. So, it
> should be possible to backup the unicodePwd attr, then restore it and
> wipe supplementalCredentials. But, I'd prefer being able to generate
AES
> kerb tickets (as users do not change their password often)
>
> Can I backup the whole user entry, and restore it later ? Or just a set
> of attributes ? Only supplementalCredentials and unicodePwd are enough ?
No, you cannot backup and restore the entire AD object, a lot of the 
attributes are only writeable by the system.

You can certainly try to do what you propose, but I think your best 
option would be to change the users password, do your imap migration, 
then change the password again with 'must change password at next 
logon', not really what you want do.

>
> In the SMB 3 days, I could just backup hashes from /etc/shadow and
> /etc/smb/smbpasswd (or OpenLDAP depending on the backend) and then
> restore them, it was easy.
And a lot less secure ;-)

Rowland

Le 05/09/2019 ? 12:38, Rowland penny via samba a ?crit?:
>>
>> Can I backup the whole user entry, and restore it later ? Or just a set
>> of attributes ? Only supplementalCredentials and unicodePwd are enough
?
>
> No, you cannot backup and restore the entire AD object, a lot of the
> attributes are only writeable by the system.

Even with ldbmodify ?

>
> You can certainly try to do what you propose, but I think your best
> option would be to change the users password, do your imap migration,
> then change the password again with 'must change password at next
> logon', not really what you want do.

Yep, that's the easy path, but I'd like to avoid it. In this case
it's
for a one shot imap migration, but I sometime have to impersonate a user
for debuging purpose, and being able to restore the previous password
without bothering users with password reset is a must.

>>
>> In the SMB 3 days, I could just backup hashes from /etc/shadow and
>> /etc/smb/smbpasswd (or OpenLDAP depending on the backend) and then
>> restore them, it was easy.
>
> And a lot less secure ;-)

A bit less, but if the DC is compromised, I'm screwed anyway, so ...