Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] How to manage users with encrypted passwords
484 views
Skip to first unread message
Benjamin Rocton
Jun 12, 2014, 6:00:02 AM6/12/14
to
Hello,
I set up Samba4 to replace our Samba3. I am having problems to populate
samba4 and automatically manage the lifecycle of users.
All of our users are already in an LDAP directory and I would like to
create a connector for "synchronised" LDAP users to Samba4.
I thought to develop a script that would use Python libraries of Samba-tool.
I have a problem to manage passwords.
I can not have access to user passwords in clear text. But I can have it
in any encrypted form.
Are there a solution to push a Hash password to Samba4? If yes, what
kind of Hash?
In addition, where are stored the passwords in Samba4? Only in the LDAP?
In kerberos? Elsewhere?
In what form?
I did not find any info on it.
Thank you for your help.
Regards,
Benjamin
--
Benjamin Rocton
Université Pierre Mendès France
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I set up Samba4 to replace our Samba3. I am having problems to populate
samba4 and automatically manage the lifecycle of users.
All of our users are already in an LDAP directory and I would like to
create a connector for "synchronised" LDAP users to Samba4.
I thought to develop a script that would use Python libraries of Samba-tool.
I have a problem to manage passwords.
I can not have access to user passwords in clear text. But I can have it
in any encrypted form.
Are there a solution to push a Hash password to Samba4? If yes, what
kind of Hash?
In addition, where are stored the passwords in Samba4? Only in the LDAP?
In kerberos? Elsewhere?
In what form?
I did not find any info on it.
Thank you for your help.
Regards,
Benjamin
--
Benjamin Rocton
Université Pierre Mendès France
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Jun 12, 2014, 6:30:02 AM6/12/14
to
On 12/06/14 10:52, Benjamin Rocton wrote:
> Hello,
>
> I set up Samba4 to replace our Samba3. I am having problems to
> populate samba4 and automatically manage the lifecycle of users.
> All of our users are already in an LDAP directory and I would like to
> create a connector for "synchronised" LDAP users to Samba4.
> I thought to develop a script that would use Python libraries of
> Samba-tool.
>
> I have a problem to manage passwords.
> I can not have access to user passwords in clear text. But I can have
> it in any encrypted form.
> Are there a solution to push a Hash password to Samba4? If yes, what
> kind of Hash?
>
> In addition, where are stored the passwords in Samba4? Only in the
> LDAP? In kerberos? Elsewhere?
> In what form?
> I did not find any info on it.
>
> Thank you for your help.
>
> Regards,
> Benjamin
>
Hi, when you say 'I set up Samba4 to replace our Samba3.' just how have
> Hello,
>
> I set up Samba4 to replace our Samba3. I am having problems to
> populate samba4 and automatically manage the lifecycle of users.
> All of our users are already in an LDAP directory and I would like to
> create a connector for "synchronised" LDAP users to Samba4.
> I thought to develop a script that would use Python libraries of
> Samba-tool.
>
> I have a problem to manage passwords.
> I can not have access to user passwords in clear text. But I can have
> it in any encrypted form.
> Are there a solution to push a Hash password to Samba4? If yes, what
> kind of Hash?
>
> In addition, where are stored the passwords in Samba4? Only in the
> LDAP? In kerberos? Elsewhere?
> In what form?
> I did not find any info on it.
>
> Thank you for your help.
>
> Regards,
> Benjamin
>
you setup samba4 ? Have you used samba4 just like samba3 or have you set
up an AD DC ?
Once you answer the above, I am sure that we can move on to help you get
to a working solution.
Rowland
Benjamin Rocton
Jun 12, 2014, 7:00:02 AM6/12/14
to
Hi,
I do not really understand your question. What is the difference?
I thought samba4 was necessarily an emulation of an AD DC. This is not
the case?
I installed two Samba4 DC for tests:
- One with the "samba-tool domain provision" (server role "dc" ldap
internal).
- And another with "samba-tool domain samba3upgrade ..." to import the
data from the current Samba3.
The goal is to have a Samba4 AD DC.
I do not know if I answered the question. Sorry.
Benjamin
I do not really understand your question. What is the difference?
I thought samba4 was necessarily an emulation of an AD DC. This is not
the case?
I installed two Samba4 DC for tests:
- One with the "samba-tool domain provision" (server role "dc" ldap
internal).
- And another with "samba-tool domain samba3upgrade ..." to import the
data from the current Samba3.
The goal is to have a Samba4 AD DC.
I do not know if I answered the question. Sorry.
Benjamin
Rowland Penny
Jun 12, 2014, 7:20:01 AM6/12/14
to
On 12/06/14 11:54, Benjamin Rocton wrote:
> Hi,
>
> I do not really understand your question. What is the difference?
A great deal actually, samba4 can do anything that samba3 can do PLUS it
> Hi,
>
> I do not really understand your question. What is the difference?
can be set up to be an Active Directory domain controller.
> I thought samba4 was necessarily an emulation of an AD DC. This is not
> the case?
>
> I installed two Samba4 DC for tests:
> - One with the "samba-tool domain provision" (server role "dc" ldap
> internal).
> - And another with "samba-tool domain samba3upgrade ..." to import the
> data from the current Samba3.
>
to run is:
samba-tool domain classicupgrade
This should extract the info from your S3 PDC and provision S4.
I would suggest that you go and read the samba wiki, specifically this page:
https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29
I would also hope that you are doing this in a test situation i.e. not
in production.
> The goal is to have a Samba4 AD DC.
>
> I do not know if I answered the question. Sorry.
Rowland
Benjamin Rocton
Jun 12, 2014, 7:50:01 AM6/12/14
to
Thank you for your reply.
I read the wiki about classiqueupgrade (this is the same as samba3upgrade).
I have no problem to provision samba4 with classicupgrade. It works well
and I get my users.
My problem is "after". how I create new users, how do I delete old
users. I will not re-provision with "classicupgrade" every night for a
Samba4 updated.
And I do not want this to be done manually on Samba4. There are too many
changes.
In summary:
I have an LDAP repository (openldap) with a home regimen. It contains
all the users and their encrypted passwords.
I want to regularly update Samba4 with the information contained in the
LDAP.
I don't know if I'm clear. I don't speak English very well.
Benjamin
I read the wiki about classiqueupgrade (this is the same as samba3upgrade).
I have no problem to provision samba4 with classicupgrade. It works well
and I get my users.
My problem is "after". how I create new users, how do I delete old
users. I will not re-provision with "classicupgrade" every night for a
Samba4 updated.
And I do not want this to be done manually on Samba4. There are too many
changes.
In summary:
I have an LDAP repository (openldap) with a home regimen. It contains
all the users and their encrypted passwords.
I want to regularly update Samba4 with the information contained in the
LDAP.
I don't know if I'm clear. I don't speak English very well.
Benjamin
Rowland Penny
Jun 12, 2014, 8:10:03 AM6/12/14
to
On 12/06/14 12:46, Benjamin Rocton wrote:
> Thank you for your reply.
>
> I read the wiki about classiqueupgrade (this is the same as
> samba3upgrade).
> I have no problem to provision samba4 with classicupgrade. It works
> well and I get my users.
> My problem is "after". how I create new users, how do I delete old
> users. I will not re-provision with "classicupgrade" every night for a
> Samba4 updated.
> And I do not want this to be done manually on Samba4. There are too
> many changes.
> In summary:
> I have an LDAP repository (openldap) with a home regimen. It contains
> all the users and their encrypted passwords.
> I want to regularly update Samba4 with the information contained in
> the LDAP.
>
> I don't know if I'm clear. I don't speak English very well.
>
> Benjamin
>
I think that you are being very clear.
> Thank you for your reply.
>
> I read the wiki about classiqueupgrade (this is the same as
> samba3upgrade).
> I have no problem to provision samba4 with classicupgrade. It works
> well and I get my users.
> My problem is "after". how I create new users, how do I delete old
> users. I will not re-provision with "classicupgrade" every night for a
> Samba4 updated.
> And I do not want this to be done manually on Samba4. There are too
> many changes.
> In summary:
> I have an LDAP repository (openldap) with a home regimen. It contains
> all the users and their encrypted passwords.
> I want to regularly update Samba4 with the information contained in
> the LDAP.
>
> I don't know if I'm clear. I don't speak English very well.
>
> Benjamin
>
Lets see if I get this correct:
You have extracted all your users, groups and computers from your
openldap and by using 'classicupgrade', have inserted them into your new
samba4 AD DC.
You still want to use your openldap machine AND the new samba4 AD dc,
why?????
If the upgrade went correctly, turn off the openldap machine, you do not
need it anymore.
Rowland
Allen Chen
Jun 12, 2014, 8:50:01 AM6/12/14
to
"classicupgrade". it works fine.
Most information are imported to S4 internal LDAP. I said most
information are imported, so I have to keep openldap up and running for
other usage.
I can use a script made by myself to sync some of the attributes between
openldap and S4 ldap.
My script calls samba-tool to handle S4 LDAP change, but I cannot change
some attributes with samba-tool, like primaryGroupID.
Also from my reading on the list, if I change it with "ldbedit", I may
end up with a crashed internal DB if two AD DCs are deployed..
Right now, all of the users have the same primaryGroupID 513, I don't
know if it's normal or not. I think I don't use this attribute. I use AD
DC just for authentication.
Allen
Benjamin Rocton
Jun 12, 2014, 9:00:03 AM6/12/14
to
I have two LDAP:
One that contains all users and facts for the information system. Not
only information for DC. _It is not____specified____or controlled____by
me_, I only need to use the information it contains to create the right
users in my domain.
Another for samba3, with samba3 scheme. it will disappear when samba4
will be in production. Currently it is synchronized with the first LDAP
through LDAP scripts homemade.I would like to reproduce this behavior
with samba4.
Benjamin
One that contains all users and facts for the information system. Not
only information for DC. _It is not____specified____or controlled____by
me_, I only need to use the information it contains to create the right
users in my domain.
Another for samba3, with samba3 scheme. it will disappear when samba4
will be in production. Currently it is synchronized with the first LDAP
through LDAP scripts homemade.I would like to reproduce this behavior
with samba4.
Benjamin
Stéphane PURNELLE
Jun 12, 2014, 9:10:02 AM6/12/14
to
OK...
One ldap server with some data
One DC (samba 4) with auto creation/modify from ldap server.
For me, just do a script (scheduled with crontab) read information from
ldap
and use samba-tool for modify/create user
but you need to extract passwd from ldap server for use it in your script
regarsds
Stéphane Purnelle
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
samba-...@lists.samba.org wrote on 12/06/2014 14:55:14:
> De : Benjamin Rocton <Benjami...@upmf-grenoble.fr>
> A : sa...@lists.samba.org,
> Date : 12/06/2014 14:55
> Objet : Re: [Samba] How to manage users with encrypted passwords
> Envoyé par : samba-...@lists.samba.org
One ldap server with some data
One DC (samba 4) with auto creation/modify from ldap server.
For me, just do a script (scheduled with crontab) read information from
ldap
and use samba-tool for modify/create user
but you need to extract passwd from ldap server for use it in your script
regarsds
Stéphane Purnelle
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
samba-...@lists.samba.org wrote on 12/06/2014 14:55:14:
> De : Benjamin Rocton <Benjami...@upmf-grenoble.fr>
> A : sa...@lists.samba.org,
> Date : 12/06/2014 14:55
> Objet : Re: [Samba] How to manage users with encrypted passwords
> Envoyé par : samba-...@lists.samba.org
Benjamin Rocton
Jun 12, 2014, 9:20:02 AM6/12/14
to
Hi,
Yes, but I do not have the passwords in clear text in the LDAP. I can
only have the encrypted password. And it does not seem that we can use
samba-tool with an encrypted password?
Benjamin
--
Benjamin Rocton
Université Pierre Mendès France
Yes, but I do not have the passwords in clear text in the LDAP. I can
only have the encrypted password. And it does not seem that we can use
samba-tool with an encrypted password?
Benjamin
--
Benjamin Rocton
Université Pierre Mendès France
Stéphane PURNELLE
Jun 12, 2014, 9:50:03 AM6/12/14
to
How is the password in ldap ?
You can use in samba DC tools like ldbsearch and ldbmodify for password
part.
But this is dangerous (ldbmodify) and password must have the same
encryption.
Hope that you can do some tests before production
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
Benjamin Rocton <Benjami...@upmf-grenoble.fr> wrote on 12/06/2014
15:13:40:
> De : Benjamin Rocton <Benjami...@upmf-grenoble.fr>
> A : Stéphane PURNELLE <stephane...@corman.be>,
> Cc : sa...@lists.samba.org
> Date : 12/06/2014 15:13
You can use in samba DC tools like ldbsearch and ldbmodify for password
part.
But this is dangerous (ldbmodify) and password must have the same
encryption.
Hope that you can do some tests before production
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
15:13:40:
> De : Benjamin Rocton <Benjami...@upmf-grenoble.fr>
> A : Stéphane PURNELLE <stephane...@corman.be>,
> Cc : sa...@lists.samba.org
> Date : 12/06/2014 15:13
Rowland Penny
Jun 12, 2014, 10:00:02 AM6/12/14
to
On 12/06/14 13:55, Benjamin Rocton wrote:
> I have two LDAP:
> One that contains all users and facts for the information system. Not
> only information for DC. _It is not____specified____or
> controlled____by me_, I only need to use the information it contains
> to create the right users in my domain.
> Another for samba3, with samba3 scheme. it will disappear when samba4
> will be in production. Currently it is synchronized with the first
> LDAP through LDAP scripts homemade.I would like to reproduce this
> behavior with samba4.
>
>
OK, you are extracting users and their associated info from one LDAP and
> I have two LDAP:
> One that contains all users and facts for the information system. Not
> only information for DC. _It is not____specified____or
> controlled____by me_, I only need to use the information it contains
> to create the right users in my domain.
> Another for samba3, with samba3 scheme. it will disappear when samba4
> will be in production. Currently it is synchronized with the first
> LDAP through LDAP scripts homemade.I would like to reproduce this
> behavior with samba4.
>
>
using this to create users on another LDAP, which works for you.
You are now trying to upgrade to samba4 AD and having problems
extracting clear text passwords from your first LDAP machine, I think
that the only way that this is going to work is by actually 'cracking'
the user passwords!!!
I think that in this instance, you need to forget using samba4 in AD
mode and just set it up as your original S3 machine was.
I do not know how the passwords are stored on the LDAP you are trying to
extract them from, it could be SSHA or similar, but AD stores them as
unicode encrypted and they are, I believe, stored in 'write-only'
attributes.
Rowland
Steve Thompson
Jun 12, 2014, 10:00:02 AM6/12/14
to
On Thu, 12 Jun 2014, Benjamin Rocton wrote:
> Yes, but I do not have the passwords in clear text in the LDAP. I can only
> have the encrypted password. And it does not seem that we can use samba-tool
> with an encrypted password?
If you have the sambaNTPassword value from Samba3's LDAP database, you can
> Yes, but I do not have the passwords in clear text in the LDAP. I can only
> have the encrypted password. And it does not seem that we can use samba-tool
> with an encrypted password?
migrate that to the unicodePW field in Samba4's LDAP database by
converting it with this short Python script:
#!/usr/bin/env python
import base64
import binascii
import sys
ldap_samba_nt_password = sys.argv[1]
b64_hash = base64.b64encode(binascii.a2b_hex(ldap_samba_nt_password))
print b64_hash
which takes sambaNTPassword as an argument and prints unicodePwd on
standard out. Write that to Samba4 with ldbmodify:
# ldbmodify -H /whatever/private/sam/ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
dn: CN=$name,CN=Users,DC=....
changetype: modify
replace: unicodePwd
unicodePwd:: <value from python script>
-
EOF
I used this technique for about 2000 users with no problems.
Steve
Benjamin Rocton
Jun 12, 2014, 6:20:01 PM6/12/14
to
Hello,
I set up Samba4 to replace our Samba3. I am having problems to populate
samba4 and automatically manage the lifecycle of users.
All of our users are already in an LDAP directory and I would like to
create a connector for "synchronised" LDAP users to Samba4.
I thought to develop a script that would use Python libraries of Samba-tool.
I have a problem to manage passwords.
I can not have access to user passwords in clear text. But I can have it
in any encrypted form.
Are there a solution to push a Hash password to Samba4? If yes, what
kind of Hash?
In addition, where are stored the passwords in Samba4? Only in the LDAP?
In kerberos? Elsewhere?
In what form?
I did not find any info on it.
Thank you for your help.
Regards,
Benjamin
I set up Samba4 to replace our Samba3. I am having problems to populate
samba4 and automatically manage the lifecycle of users.
All of our users are already in an LDAP directory and I would like to
create a connector for "synchronised" LDAP users to Samba4.
I thought to develop a script that would use Python libraries of Samba-tool.
I have a problem to manage passwords.
I can not have access to user passwords in clear text. But I can have it
in any encrypted form.
Are there a solution to push a Hash password to Samba4? If yes, what
kind of Hash?
In addition, where are stored the passwords in Samba4? Only in the LDAP?
In kerberos? Elsewhere?
In what form?
I did not find any info on it.
Thank you for your help.
Regards,
Benjamin
--
Benjamin Rocton
Université Pierre Mendès France
Benjamin Rocton
Université Pierre Mendès France
Andrew Bartlett
Jun 12, 2014, 9:10:01 PM6/12/14
to
the classicupgrade tool refined to have a --resync mode for this kind of
thing. We could even check the password last set time to determine
which password is 'correct'.
In the meantime, doing something like this is the right appraoch.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
0 new messages