Openldap -> ucs sync


#1

Good afternoon.
I am in the process of implementing a samba4 Domain for my school and had been trying it with simple samba 4 with success.
As for the scenario we already have an openLdap directory with all the users information including an NT Hash Password.
With samba4 i managed to get a sync scenario with lsc-connector and then made the password sync with a script that wirtes directly into the filesystem.

In the meanwhile i saw that USC is free for entrerprise use and it is a much better solution.

My question is if there is a method to sync passwords from openldap into UCS?

Thanks

Nuno Silva


#2

Hi,
Migrate Existing Samba 3 Installations to UCS 3 with Samba 3 mentions the way you already described:

[quote]To copy the password import the NT Hash using an ldapmodify on the entry sambaNTPassword of the respective user. [/quote].

I dont know if this works for a direct migration to Samba 4. At least it is not documented, see [bug]37838[/bug].

Best Regards,
Dirk Ahrnke


#3

[quote=“ahrnke”]Hi,
Migrate Existing Samba 3 Installations to UCS 3 with Samba 3 mentions the way you already described:

[quote]To copy the password import the NT Hash using an ldapmodify on the entry sambaNTPassword of the respective user. [/quote].

I dont know if this works for a direct migration to Samba 4. At least it is not documented, see [bug]37838[/bug].

Best Regards,
Dirk Ahrnke[/quote]

I have tried this approach but it doesn’t work.
maybe ucs 4 has some extra validations… :confused:
The strange thing is that with a simple samba4 install i was able to do this sync… writing directly sambaNTPassword…

I could try an approach that i saw online… Install UCS with samba3, sync, and the upgrade to samba4.
But that is not an option because i will always (at least for a reasonable amount of time) have my user information stored in an external ldap (openldap).


#4

[quote=“nrvs@isep.ipp.pt”][quote=“ahrnke”]Hi,
Migrate Existing Samba 3 Installations to UCS 3 with Samba 3 mentions the way you already described:

[quote]To copy the password import the NT Hash using an ldapmodify on the entry sambaNTPassword of the respective user. [/quote].

I dont know if this works for a direct migration to Samba 4. At least it is not documented, see [bug]37838[/bug].

Best Regards,
Dirk Ahrnke[/quote]

I have tried this approach but it doesn’t work.
maybe ucs 4 has some extra validations… :confused:
The strange thing is that with a simple samba4 install i was able to do this sync… writing directly sambaNTPassword…

I could try an approach that i saw online… Install UCS with samba3, sync, and the upgrade to samba4.
But that is not an option because i will always (at least for a reasonable amount of time) have my user information stored in an external ldap (openldap).[/quote]

I looked around a little more and found that there is a method for password sync from ucs to ucs4
forge.univention.org/svn/dev/br … _ucs_to_s4

Not being (not even close) a python expert a tried to follow the code and it seems it connects to ucs to extract the details for a user account and the magic happens in
forge.univention.org/svn/dev/br … assword.py

Can anyone point me some light if i am in the right direction?

The users creation in ucs4 will be carried out by other method but i need to sync the passwords (which are stored in two formats - md5 hash and sambaNTPassword).

Thanks


#5

Hi,
univention-s4-connector is always installed and used used when Samba 4 is installed on UCS.
UCS stores its information by default in OpenLDAP in every scenario. Once you install “Active Directory-compatible Domain Controller” you get Samba 4 in addition to OpenLDAP. The brigde between these 2 worlds is the S4-Connector.

Best Regards,
Dirk Ahrnke


#6

[quote=“ahrnke”]Hi,
univention-s4-connector is always installed and used used when Samba 4 is installed on UCS.
UCS stores its information by default in OpenLDAP in every scenario. Once you install “Active Directory-compatible Domain Controller” you get Samba 4 in addition to OpenLDAP. The brigde between these 2 worlds is the S4-Connector.

Best Regards,
Dirk Ahrnke[/quote]

Then by logic if i would update data on ucs side it would be synced to samba by s4 connector.
As i said i have SambaNTPassword that i could write directly to UCS LDAP but i have tried that and authentication fails on my test client… i Think it has to do with krb5key… if i set SambaNTPassword directly in ldap probably no keys derived from password are generated and that breaks everything… or at leats i am still able to login with the old password not the new one…

Having SambaNTpassword i can generate unicodePwd to write directly on samba side but that doesn’t work either…

best regards
Nuno Silva


#7

Migrate Existing Samba 3 Installations to UCS 3 with Samba 3 says:

[quote]
To copy the password import the NT Hash using an ldapmodify on the entry sambaNTPassword of the respective user. When having set the hash for all users start the Kerberos key generation:

/usr/share/univention-heimdal/kerberos_now

This solved logon problems for me during migrations.


#8

[quote=“ahrnke”]Migrate Existing Samba 3 Installations to UCS 3 with Samba 3 says:

[quote]
To copy the password import the NT Hash using an ldapmodify on the entry sambaNTPassword of the respective user. When having set the hash for all users start the Kerberos key generation:

/usr/share/univention-heimdal/kerberos_now

This solved logon problems for me during migrations.[/quote]

I tried that already. No luck :confused:

serverfault.com/questions/613579 … er-initiat
it’s an old post but i can’t find anything recent that helps…

So it seems there is no direct way of doing this… samba3 (or something that has NT Hash stored) to UCS with samba4…

this could be a solution if it was a one shot migration but i will have the password changed and stored in openLdap in a system i don’t control… So i would have to do the password synchronization multiple times. I would say once a day