Migrating from Apple OpenDirectory?
esiotrot at gmail.com
Wed Apr 14 05:50:20 MDT 2010
Thanks for your reply.
On 14 April 2010 01:05, Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2010-04-13 at 18:04 +0200, Michael Wood wrote:
>> We have an Apple Open Directory server that we'd like to migrate to
>> Samba 4 (for authentication. No file/print.) OpenDirectory is based
>> on OpenLDAP, but the passwords are not stored in the LDAP directory,
>> as far as I understand it.
>> Is there any way to migrate the accounts to Samba without having to
>> reset all the passwords?
> Yes. You need to obtain the Kerberos database of the built in MIT KDC.
> Between that and some tools from Heimdal and Samba we should be able to
> extract the passwords. But it's not an 'out of the box' solution.
OK. I don't know as much about Kerberos as I'd like, but I've found
There's a kdc.conf file in /var/db/krb5kdc which has a couple of
realms defined and a database_name parameter with the value
/var/db/krb5kdc/principal.MY.REALM. There are also admin_keytab,
I see the Heimdal documentation mentions dumping the MIT Kerberos
database using kdb5_util dump -b7 and then importing it using hprop
Am I heading in the right direction? :)
If so, what documentation do I need to look at for using the results
of the above with Samba 4?
> They have (as a security design decision) made it much harder to migrate
> out the passwords than was traditionally the case with a Samba3 pdb
> backend - Samba never sees the passwords, only the Password Server
>> I see some mention in the Open Directory Admin document of running
>> Open Directory as an NT-style PDC or BDC, so is it possible to turn it
>> into a PDC and then migrate from that to Samba 4?
> Not easily.
OK thanks. I did notice that the options to store NTLM v1 and 2 and
also LM password hashes is turned on, but I don't know if that makes
it any easier to get at them given what you say above about Apple
making it hard to migrate the passwords. I thought perhaps the Active
Directory Migration Tool might help :)
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical