Migrating from Apple OpenDirectory?

Andrew Bartlett abartlet at samba.org
Tue Apr 20 06:01:25 MDT 2010 

On Tue, 2010-04-20 at 11:56 +0200, Michael Wood wrote:
> Hi
> 
> On 20 April 2010 04:54, Andrew Bartlett <abartlet at samba.org> wrote:
> > On Thu, 2010-04-15 at 16:52 +0200, Michael Wood wrote:
> >> Forgot to send this to the list:
> >>
> >> Thanks again for your helpful reply.
> >>
> >> On 14 April 2010 14:28, Andrew Bartlett <abartlet at samba.org> wrote:
> >> > On Wed, 2010-04-14 at 13:50 +0200, Michael Wood wrote:
> >> [...]
> >> >> I see the Heimdal documentation mentions dumping the MIT Kerberos
> >> >> database using kdb5_util dump -b7 and then importing it using hprop
> >> >> and hpropd:
> >> >> http://www.h5l.org/manual/heimdal-1-3-branch/info/heimdal/Migration.html#Migration
> >> >>
> >> >> Am I heading in the right direction? :)
> >> >
> >> > Yes.
> >> >
> >> >> If so, what documentation do I need to look at for using the results
> >> >> of the above with Samba 4?
> >> >
> >> > We would need to construct a custom tool, but once it's in the heimdal
> >> > format db, it's much, much easier.
> >>
> >> I'm sure you guys have way too much to do already, so how long do you
> >> think it might take to make such a tool?
> >
> > Honestly, I'm not sure.  You would need to write up a python script (I
> > think) that would first import the users from the OpenDirectory
> > (perserving their SIDs), and then extract the 'arcfour-hmac-md5' (type
> > 23) key and set it into the unicodePwd attribute in Samba4's LDAP
> > server.
> 
> OK, so in other words, get the hash from the dump file generated by
> kdb5_util and put it into Samba4's LDAP server instead of into some
> Heimdal database?  And I suppose using slapcat to get the LDAP data
> and running it through the samba equivalent of slapadd (or a Python
> script as you mentioned) should do for the LDAP data?

Yeah.  Probably it is easiest to migrate the non-password data, then
fill in the password. 

> > Once you have the data in the dump format, this may be easy to parse, or
> > else it may be better to read it using Heimdal tools somehow.
> 
> The dump format looks trivial to parse, but I don't know yet which
> field is the arcfour-hmac-md5 hash or what the other hashes are and
> whether or not they're needed.
> 
> > I'm sorry to dash your hopes, but it's not a tool I'm likely to write
> > myself, but I can provide advise.
> 
> No, my hopes remain undashed :)  Providing advice is perfect.  From
> what you've said above it seems like this should be pretty easy.  I
> just need to figure out a few details.

Great!

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100420/9972d3d1/attachment.pgp>

More information about the samba-technical mailing list