If samba is running as an active directory domain controller, it is possible to store the cleartext password of accounts in a PGP/OpenGPG encrypted form. You can specify one or more recipients by key id or user id. Note that 32bit key ids are not allowed, specify at least 64bit. The value is stored as 'Primary:SambaGPG' in the supplementalCredentials attribute. As password changes can occur on any domain controller, you should configure this on each of them. Note that this feature is currently available only on Samba domain controllers. This option is only available if samba was compiled with gpgme support. You may need to export the GNUPGHOME environment variable before starting samba. It is strongly recommended to only store the public key in this location. The private key is not used for encryption and should be only stored where decryption is required. Being able to restore the cleartext password helps, when they need to be imported into other authentication systems later (see samba-tool user getpassword) or you want to keep the passwords in sync with another system, e.g. an OpenLDAP server (see samba-tool user syncpasswords). While this option needs to be configured on all domain controllers, the samba-tool user syncpasswords command should run on a single domain controller only (typically the PDC-emulator). unix password sync 4952E40301FAB41A selftest@samba.example.com selftest@samba.example.com, 4952E40301FAB41A