samba - Sep 2019 - Set a temporary password on user accounts (samba4)

Le 05/09/2019 ? 12:38, Rowland penny via samba a ?crit?:
>>
>> Can I backup the whole user entry, and restore it later ? Or just a set
>> of attributes ? Only supplementalCredentials and unicodePwd are enough
?
>
> No, you cannot backup and restore the entire AD object, a lot of the
> attributes are only writeable by the system.

Even with ldbmodify ?

>
> You can certainly try to do what you propose, but I think your best
> option would be to change the users password, do your imap migration,
> then change the password again with 'must change password at next
> logon', not really what you want do.

Yep, that's the easy path, but I'd like to avoid it. In this case
it's
for a one shot imap migration, but I sometime have to impersonate a user
for debuging purpose, and being able to restore the previous password
without bothering users with password reset is a must.

>>
>> In the SMB 3 days, I could just backup hashes from /etc/shadow and
>> /etc/smb/smbpasswd (or OpenLDAP depending on the backend) and then
>> restore them, it was easy.
>
> And a lot less secure ;-)

A bit less, but if the DC is compromised, I'm screwed anyway, so ...

On 05/09/2019 11:43, Daniel Berteaud via samba wrote:
> Le 05/09/2019 ? 12:38, Rowland penny via samba a ?crit?:
>>> Can I backup the whole user entry, and restore it later ? Or just a
set
>>> of attributes ? Only supplementalCredentials and unicodePwd are
enough ?
>> No, you cannot backup and restore the entire AD object, a lot of the
>> attributes are only writeable by the system.
>
> Even with ldbmodify ?
Yes, even with ldbmodify ;-)
>
>
>> You can certainly try to do what you propose, but I think your best
>> option would be to change the users password, do your imap migration,
>> then change the password again with 'must change password at next
>> logon', not really what you want do.
>
> Yep, that's the easy path, but I'd like to avoid it. In this case
it's
> for a one shot imap migration, but I sometime have to impersonate a user
> for debuging purpose, and being able to restore the previous password
> without bothering users with password reset is a must.
Not sure this is a good idea, surely it is better to err on the side of 
security and force a password change, but, as I said, Your way may work, 
give it a try.

Rowland

Le 05/09/2019 ? 13:07, Rowland penny via samba a ?crit?:
>
> Not sure this is a good idea, surely it is better to err on the side
> of security and force a password change, but, as I said, Your way may
> work, give it a try.

I'll try. That's why I ask for which attr might be impacted (unicodePwd
and supplementalCredentials are the only one ?)


Cheers,

Daniel