Migrating from Apple OpenDirectory?

Andrew Bartlett abartlet at samba.org
Tue Apr 13 17:05:56 MDT 2010

On Tue, 2010-04-13 at 18:04 +0200, Michael Wood wrote:
> Hi
> We have an Apple Open Directory server that we'd like to migrate to
> Samba 4 (for authentication.  No file/print.)  OpenDirectory is based
> on OpenLDAP, but the passwords are not stored in the LDAP directory,
> as far as I understand it.
> Is there any way to migrate the accounts to Samba without having to
> reset all the passwords?

Yes.  You need to obtain the Kerberos database of the built in MIT KDC.
Between that and some tools from Heimdal and Samba we should be able to
extract the passwords.  But it's not an 'out of the box' solution. 

They have (as a security design decision) made it much harder to migrate
out the passwords than was traditionally the case with a Samba3 pdb
backend - Samba never sees the passwords, only the Password Server

> I see some mention in the Open Directory Admin document of running
> Open Directory as an NT-style PDC or BDC, so is it possible to turn it
> into a PDC and then migrate from that to Samba 4?
> http://images.apple.com/server/macosx/docs/Open_Directory_Admin_v10.5_3rd_Ed.pdf

Not easily. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100414/7faa465d/attachment.pgp>

More information about the samba-technical mailing list