Migrating from Apple OpenDirectory?

Andrew Bartlett abartlet at samba.org
Mon Apr 19 20:54:13 MDT 2010

On Thu, 2010-04-15 at 16:52 +0200, Michael Wood wrote:
> Forgot to send this to the list:
> Thanks again for your helpful reply.
> On 14 April 2010 14:28, Andrew Bartlett <abartlet at samba.org> wrote:
> > On Wed, 2010-04-14 at 13:50 +0200, Michael Wood wrote:
> [...]
> >> I see the Heimdal documentation mentions dumping the MIT Kerberos
> >> database using kdb5_util dump -b7 and then importing it using hprop
> >> and hpropd:
> >> http://www.h5l.org/manual/heimdal-1-3-branch/info/heimdal/Migration.html#Migration
> >>
> >> Am I heading in the right direction? :)
> >
> > Yes.
> >
> >> If so, what documentation do I need to look at for using the results
> >> of the above with Samba 4?
> >
> > We would need to construct a custom tool, but once it's in the heimdal
> > format db, it's much, much easier.
> I'm sure you guys have way too much to do already, so how long do you
> think it might take to make such a tool?

Honestly, I'm not sure.  You would need to write up a python script (I
think) that would first import the users from the OpenDirectory
(perserving their SIDs), and then extract the 'arcfour-hmac-md5' (type
23) key and set it into the unicodePwd attribute in Samba4's LDAP

Once you have the data in the dump format, this may be easy to parse, or
else it may be better to read it using Heimdal tools somehow.

I'm sorry to dash your hopes, but it's not a tool I'm likely to write
myself, but I can provide advise. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100420/3b0755e9/attachment.pgp>

More information about the samba-technical mailing list