Univention userPassword hash to Crypt SHA512

nauriz.aitbai · February 28, 2019, 9:44am

Hello everyone.
I want user password’s hash be Crypt SHA512, so I could sync users with G Suite.
I wrote password has userPassword schemes = CryptSHA512 to smb.conf, but it resets after reboots. It just doesn’t work.
Can you help with this problem?
I don’t want SAML authorization, I want synchronization with G Suite.

pmhahn · March 1, 2019, 1:01pm

I guess it is a typo of yours, but the setting is called password hash userPassword schemes.
If you read the header of /etc/samba/smb.conf carefully, you will see, that is file is generated by UCR and will we overwritten. See Section 8.3 in the UCS manual for more information about that mechanism in UCS.
You can use ucr set 'samba/global/options/password hash userPassword schemes=CryptSHA512'. This writes the setting to the file /etc/samba/local.config.d/global.local.config.conf, which is sourced by the main smb.conf file.

Disclaimer: I have not tested if afterward G Suite works as expected.

nauriz.aitbai · March 4, 2019, 4:29am

Hello. Thank you for your reply. I edited smb.conf and when I created, modified user with samba-tool I can have VirtualCryptSHA512, but when I created or modified it in Univention Web, I don’t get VirtualCryptSHA512.

nauriz.aitbai · March 4, 2019, 7:23am

When I create/modify user from Univention Web or Univention Console password creates as krb5key. Can I change it to VirtualCryptSHA512.
From a listener (/usr/lib/univention-directory-listener/system/) I can get a User’s userPassword (VirtualCryptSHA512). Can I change something in Univention code so I can get VirtualCryptSHA512?

nauriz.aitbai · March 7, 2019, 11:50am

I solved my first problem, now I can sync created, modified users’ passwords in GSuite. But problem is when I change password using Windows’s CTRL+ALT+DEL combination, in dictionary listener’s handler users userPassword attribute instead of having crypt hash, has {K5Key} string. Can I change this behaviour?

Moritz_Bunkus · March 12, 2019, 9:27am

No. Changing the password via Samba means that the S4 connector (which synchronizes the content of the Samba LDAP and OpenLDAP directories) never sees the new plain text password. It therefore cannot hash the unixPassword field with the required algorithm. It’s technically impossible.

hapc · April 11, 2023, 5:01am

Sorry for resurrecting this topic, but I would like to know what solution was used to synchronize passwords between Google Workspace and Samba4-AD.