SMB bulk add utility

Peter Njiiri pnjiiri at
Tue Sep 18 14:29:55 GMT 2007

Thanks Scott will follow your advice as per our chat on GW!
Kind Regards

>>> Scott Isaacson <sisaacson at> 18/09/2007 21:18 >>>
On Tue, 2007-09-18 at 10:36 +0400, Peter Njiiri wrote:
> Thanks for the feedback Andrew and Christopher, the issue I'm facing is that when I use 
> the smbbulkadd utility to add users without the -p (password) option,
> the error message that comes up states that a password needs to be set
> or a Universal policy cannot be found (whereas I'm using the Samba Default policy).
> I want to bulk enable all users without giving them "new" passwords
> (with the -p option) so that they can use eDirectory to
> authenticate (as they use the Novell ZENworks client,somewhat like the
> Novell Client to login to Windows).

Peter what you want to do is possible only if the Universal Password
(UP) has already been set or will be set via some other way using some
other tool.  As mentioned by others earlier, if UP is set it is
retrievable in cleartext and and be used for samba authentication (with
the "NDS LDAP backend passdb" without setting the hashes, however the UP
must be set.  The NDS LDAP passdb backend does not work of of the older,
encrypted password that is unique to NCP.  Novell moved to UP serveral
years ago so that any protocol accessing the server could work off of  a
single password value rather than having a password per access protocol
(hence the name Universal Password).  

It sounds like what you are doing is trying to use smbblkadd to enable a
bunch of users in batch mode, but unless you specify the new password
with the -p option, the UP must already be set or you must set it some
other way in order to use the new samba server. 

> There is currently a Samba server
> the users will be shifting to and they need seamless migration
> (without new passwords being set on the new Samba server). Is this possible??

If UP is already set, this is possible.  If you are running those users
off of the older NDS specific password and UP is not already set then
this is not possible.


> Kind Regards
> Peter
> >>> "Christopher R. Hertel" <crh at> 18/09/2007 06:52 >>>
> Andrew Bartlett wrote:
> > On Mon, 2007-09-17 at 20:21 -0500, Christopher R. Hertel wrote:
> >> Peter,
> >>
> >> The raw password is needed in order to generate the hashes used for Windows
> >> authentication.  If kerberos is supported then there may be an option, but
> >> for NTLM or NTLMv2 authentication you'll need the NTLM hash.  If that's not
> >> already in eDirectory, then you'll need to generate it and it can only be
> >> generated from the original password.
> >>
> >> That's the nature of security systems.  You shouldn't be able to get the raw
> >> password out of the system.  It should only ever go in (and be destroyed
> >> after it is used).
> > 
> > Happily (?) eDirectory stores a 'universal password' (being the
> > plaintext), which Samba can obtain, if you have recent versions of both.
> Ah.  Well... That's cool, I guess.
> So what's the trick for doing the mass enable he originally asked about?
> Chris -)-----

More information about the samba-technical mailing list