Daniel Berteaud
2019-Sep-05 10:43 UTC
[Samba] Set a temporary password on user accounts (samba4)
Le 05/09/2019 ? 12:38, Rowland penny via samba a ?crit?:>> >> Can I backup the whole user entry, and restore it later ? Or just a set >> of attributes ? Only supplementalCredentials and unicodePwd are enough ? > > No, you cannot backup and restore the entire AD object, a lot of the > attributes are only writeable by the system.Even with ldbmodify ?> > You can certainly try to do what you propose, but I think your best > option would be to change the users password, do your imap migration, > then change the password again with 'must change password at next > logon', not really what you want do.Yep, that's the easy path, but I'd like to avoid it. In this case it's for a one shot imap migration, but I sometime have to impersonate a user for debuging purpose, and being able to restore the previous password without bothering users with password reset is a must.>> >> In the SMB 3 days, I could just backup hashes from /etc/shadow and >> /etc/smb/smbpasswd (or OpenLDAP depending on the backend) and then >> restore them, it was easy. > > And a lot less secure ;-)A bit less, but if the DC is compromised, I'm screwed anyway, so ...
Rowland penny
2019-Sep-05 11:07 UTC
[Samba] Set a temporary password on user accounts (samba4)
On 05/09/2019 11:43, Daniel Berteaud via samba wrote:> Le 05/09/2019 ? 12:38, Rowland penny via samba a ?crit?: >>> Can I backup the whole user entry, and restore it later ? Or just a set >>> of attributes ? Only supplementalCredentials and unicodePwd are enough ? >> No, you cannot backup and restore the entire AD object, a lot of the >> attributes are only writeable by the system. > > Even with ldbmodify ?Yes, even with ldbmodify ;-)> > >> You can certainly try to do what you propose, but I think your best >> option would be to change the users password, do your imap migration, >> then change the password again with 'must change password at next >> logon', not really what you want do. > > Yep, that's the easy path, but I'd like to avoid it. In this case it's > for a one shot imap migration, but I sometime have to impersonate a user > for debuging purpose, and being able to restore the previous password > without bothering users with password reset is a must.Not sure this is a good idea, surely it is better to err on the side of security and force a password change, but, as I said, Your way may work, give it a try. Rowland
Daniel Berteaud
2019-Sep-05 17:06 UTC
[Samba] Set a temporary password on user accounts (samba4)
Le 05/09/2019 ? 13:07, Rowland penny via samba a ?crit?:> > Not sure this is a good idea, surely it is better to err on the side > of security and force a password change, but, as I said, Your way may > work, give it a try.I'll try. That's why I ask for which attr might be impacted (unicodePwd and supplementalCredentials are the only one ?) Cheers, Daniel
Possibly Parallel Threads
- Set a temporary password on user accounts (samba4)
- Set a temporary password on user accounts (samba4)
- Set a temporary password on user accounts (samba4)
- Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
- Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM