Migrating from Apple OpenDirectory?

Michael Wood esiotrot at gmail.com
Wed Apr 14 05:50:20 MDT 2010

Thanks for your reply.

On 14 April 2010 01:05, Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2010-04-13 at 18:04 +0200, Michael Wood wrote:
>> Hi
>> We have an Apple Open Directory server that we'd like to migrate to
>> Samba 4 (for authentication.  No file/print.)  OpenDirectory is based
>> on OpenLDAP, but the passwords are not stored in the LDAP directory,
>> as far as I understand it.
>> Is there any way to migrate the accounts to Samba without having to
>> reset all the passwords?
> Yes.  You need to obtain the Kerberos database of the built in MIT KDC.
> Between that and some tools from Heimdal and Samba we should be able to
> extract the passwords.  But it's not an 'out of the box' solution.

OK.  I don't know as much about Kerberos as I'd like, but I've found
the database.

There's a kdc.conf file in /var/db/krb5kdc which has a couple of
realms defined and a database_name parameter with the value
/var/db/krb5kdc/principal.MY.REALM.  There are also admin_keytab,
key_stash_file, etc.

I see the Heimdal documentation mentions dumping the MIT Kerberos
database using kdb5_util dump -b7 and then importing it using hprop
and hpropd:

Am I heading in the right direction? :)

If so, what documentation do I need to look at for using the results
of the above with Samba 4?

> They have (as a security design decision) made it much harder to migrate
> out the passwords than was traditionally the case with a Samba3 pdb
> backend - Samba never sees the passwords, only the Password Server
> does.
>> I see some mention in the Open Directory Admin document of running
>> Open Directory as an NT-style PDC or BDC, so is it possible to turn it
>> into a PDC and then migrate from that to Samba 4?
>> http://images.apple.com/server/macosx/docs/Open_Directory_Admin_v10.5_3rd_Ed.pdf
> Not easily.

OK thanks.  I did notice that the options to store NTLM v1 and 2 and
also LM password hashes is turned on, but I don't know if that makes
it any easier to get at them given what you say above about Apple
making it hard to migrate the passwords.  I thought perhaps the Active
Directory Migration Tool might help :)

Thanks again.

Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list