Univention userPassword hash to Crypt SHA512

samba
ucs-4-3
problem

#1

Hello everyone.
I want user password’s hash be Crypt SHA512, so I could sync users with G Suite.
I wrote password has userPassword schemes = CryptSHA512 to smb.conf, but it resets after reboots. It just doesn’t work.
Can you help with this problem?
I don’t want SAML authorization, I want synchronization with G Suite.


#2
  1. I guess it is a typo of yours, but the setting is called password hash userPassword schemes.
  2. If you read the header of /etc/samba/smb.conf carefully, you will see, that is file is generated by UCR and will we overwritten. See Section 8.3 in the UCS manual for more information about that mechanism in UCS.
  3. You can use ucr set 'samba/global/options/password hash userPassword schemes=CryptSHA512'. This writes the setting to the file /etc/samba/local.config.d/global.local.config.conf, which is sourced by the main smb.conf file.

Disclaimer: I have not tested if afterward G Suite works as expected.


#3

Hello. Thank you for your reply. I edited smb.conf and when I created, modified user with samba-tool I can have VirtualCryptSHA512, but when I created or modified it in Univention Web, I don’t get VirtualCryptSHA512.


#4

When I create/modify user from Univention Web or Univention Console password creates as krb5key. Can I change it to VirtualCryptSHA512.
From a listener (/usr/lib/univention-directory-listener/system/) I can get a User’s userPassword (VirtualCryptSHA512). Can I change something in Univention code so I can get VirtualCryptSHA512?


#5

I solved my first problem, now I can sync created, modified users’ passwords in GSuite. But problem is when I change password using Windows’s CTRL+ALT+DEL combination, in dictionary listener’s handler users userPassword attribute instead of having crypt hash, has {K5Key} string. Can I change this behaviour?


#6

No. Changing the password via Samba means that the S4 connector (which synchronizes the content of the Samba LDAP and OpenLDAP directories) never sees the new plain text password. It therefore cannot hash the unixPassword field with the required algorithm. It’s technically impossible.