samba - Apr 2022 - Synchronizing user passwords between Samba AD and Google Workspace

Google offers a Windows? binary to sync Active Directory passwords to 
Google Workspace via their API. Does anyone have a solution for this 
that works with native Samba?

As far as I can see there's two options:

? something something gpg and samba-tool user syncpasswords. Manpages 
tell me this is the preferred solution, but nowhere document how to make 
it work. And it leaks plain text passwords if anyone steals the GPG key, 
which isn't great anyway.

? If I set `password hash userPassword schemes = 
CryptSHA512:rounds=10000`, I can sync the value of 
`supplementalCredentials` directly to the workspace API without having 
the plaintext anywhere, as far as I understand Google's Directory API.

But I can't find any practical examples for either solution. Does anyone 
have experience with either and can weigh in on which would be easier?

("Why do you need Google synchronisation in the first place?"
Politics.
It's either syncing Samba to GW, or losing all control over our user 
data entirely, so I'd prefer to keep Samba around. Getting rid of Google 
isn't an option currently.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20220408/3dda573b/OpenPGP_signature.sig>

On Fri, 2022-04-08 at 11:28 +0200, Sven Schwedas via samba
wrote:
> Google offers a Windows? binary to sync Active Directory passwords to 
> Google Workspace via their API. Does anyone have a solution for this 
> that works with native Samba?
> 
> As far as I can see there's two options:
> 
> ? something something gpg and samba-tool user syncpasswords. Manpages 
> tell me this is the preferred solution, but nowhere document how to make 
> it work. And it leaks plain text passwords if anyone steals the GPG key, 
> which isn't great anyway.
> 
> ? If I set `password hash userPassword schemes = 
> CryptSHA512:rounds=10000`, I can sync the value of 
> `supplementalCredentials` directly to the workspace API without having 
> the plaintext anywhere, as far as I understand Google's Directory API.
> 
> But I can't find any practical examples for either solution. Does
anyone
> have experience with either and can weigh in on which would be easier?
> 
> ("Why do you need Google synchronisation in the first place?"
Politics.
> It's either syncing Samba to GW, or losing all control over our user 
> data entirely, so I'd prefer to keep Samba around. Getting rid of
Google
> isn't an option currently.)
It won't be the value of supplementalCredentials directly, it is
accessed via the same samba-tool user syncpasswords system, but avoids
the need for the GPG stuff and the plaintext store.  As long as you
know what hash you need at password store time, I think the 'password
hash userPassword schemes' approach is better (but then again, that was
my addition). 

https://github.com/baboons/samba4-gaps looks like a tool trying to do
the right things.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba