Migrating from Apple OpenDirectory?

Andrew Bartlett abartlet at samba.org
Wed Apr 14 06:28:07 MDT 2010

On Wed, 2010-04-14 at 13:50 +0200, Michael Wood wrote:
> Thanks for your reply.
> On 14 April 2010 01:05, Andrew Bartlett <abartlet at samba.org> wrote:
> > On Tue, 2010-04-13 at 18:04 +0200, Michael Wood wrote:
> >> Hi
> >>
> >> We have an Apple Open Directory server that we'd like to migrate to
> >> Samba 4 (for authentication.  No file/print.)  OpenDirectory is based
> >> on OpenLDAP, but the passwords are not stored in the LDAP directory,
> >> as far as I understand it.
> >>
> >> Is there any way to migrate the accounts to Samba without having to
> >> reset all the passwords?
> >
> > Yes.  You need to obtain the Kerberos database of the built in MIT KDC.
> > Between that and some tools from Heimdal and Samba we should be able to
> > extract the passwords.  But it's not an 'out of the box' solution.
> OK.  I don't know as much about Kerberos as I'd like, but I've found
> the database.
> There's a kdc.conf file in /var/db/krb5kdc which has a couple of
> realms defined and a database_name parameter with the value
> /var/db/krb5kdc/principal.MY.REALM.  There are also admin_keytab,
> key_stash_file, etc.
> I see the Heimdal documentation mentions dumping the MIT Kerberos
> database using kdb5_util dump -b7 and then importing it using hprop
> and hpropd:
> http://www.h5l.org/manual/heimdal-1-3-branch/info/heimdal/Migration.html#Migration
> Am I heading in the right direction? :)


> If so, what documentation do I need to look at for using the results
> of the above with Samba 4?

We would need to construct a custom tool, but once it's in the heimdal
format db, it's much, much easier. 

> > They have (as a security design decision) made it much harder to migrate
> > out the passwords than was traditionally the case with a Samba3 pdb
> > backend - Samba never sees the passwords, only the Password Server
> > does.
> >
> >> I see some mention in the Open Directory Admin document of running
> >> Open Directory as an NT-style PDC or BDC, so is it possible to turn it
> >> into a PDC and then migrate from that to Samba 4?
> >> http://images.apple.com/server/macosx/docs/Open_Directory_Admin_v10.5_3rd_Ed.pdf
> >
> > Not easily.
> OK thanks.  I did notice that the options to store NTLM v1 and 2 and
> also LM password hashes is turned on, but I don't know if that makes
> it any easier to get at them given what you say above about Apple
> making it hard to migrate the passwords.  I thought perhaps the Active
> Directory Migration Tool might help :)

The easiest option would be if they have a tool that migrates out into
smbpasswd format.  We still don't have great import tools, but at least
those are only a matter of programming.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100414/2c2bfe48/attachment.pgp>

More information about the samba-technical mailing list