Migrating from Apple OpenDirectory?
Michael Wood
esiotrot at gmail.com
Wed Apr 14 05:50:20 MDT 2010
Thanks for your reply.
On 14 April 2010 01:05, Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2010-04-13 at 18:04 +0200, Michael Wood wrote:
>> Hi
>>
>> We have an Apple Open Directory server that we'd like to migrate to
>> Samba 4 (for authentication. No file/print.) OpenDirectory is based
>> on OpenLDAP, but the passwords are not stored in the LDAP directory,
>> as far as I understand it.
>>
>> Is there any way to migrate the accounts to Samba without having to
>> reset all the passwords?
>
> Yes. You need to obtain the Kerberos database of the built in MIT KDC.
> Between that and some tools from Heimdal and Samba we should be able to
> extract the passwords. But it's not an 'out of the box' solution.
OK. I don't know as much about Kerberos as I'd like, but I've found
the database.
There's a kdc.conf file in /var/db/krb5kdc which has a couple of
realms defined and a database_name parameter with the value
/var/db/krb5kdc/principal.MY.REALM. There are also admin_keytab,
key_stash_file, etc.
I see the Heimdal documentation mentions dumping the MIT Kerberos
database using kdb5_util dump -b7 and then importing it using hprop
and hpropd:
http://www.h5l.org/manual/heimdal-1-3-branch/info/heimdal/Migration.html#Migration
Am I heading in the right direction? :)
If so, what documentation do I need to look at for using the results
of the above with Samba 4?
> They have (as a security design decision) made it much harder to migrate
> out the passwords than was traditionally the case with a Samba3 pdb
> backend - Samba never sees the passwords, only the Password Server
> does.
>
>> I see some mention in the Open Directory Admin document of running
>> Open Directory as an NT-style PDC or BDC, so is it possible to turn it
>> into a PDC and then migrate from that to Samba 4?
>> http://images.apple.com/server/macosx/docs/Open_Directory_Admin_v10.5_3rd_Ed.pdf
>
> Not easily.
OK thanks. I did notice that the options to store NTLM v1 and 2 and
also LM password hashes is turned on, but I don't know if that makes
it any easier to get at them given what you say above about Apple
making it hard to migrate the passwords. I thought perhaps the Active
Directory Migration Tool might help :)
Thanks again.
--
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical
mailing list