Migrating from Apple OpenDirectory?

Michael Wood esiotrot at gmail.com
Wed Apr 21 05:22:36 MDT 2010

On 21 April 2010 07:45, Love Hörnquist Åstrand <lha at kth.se> wrote:
> 20 apr 2010 kl. 23:40 skrev Michael Wood:
>> Damn.  Forgot to copy the list again.  Sorry.
>> On 20 April 2010 13:09, Love Hörnquist Åstrand <lha at kth.se> wrote:
>>> 20 apr 2010 kl. 11:56 skrev Michael Wood:
>>>>> Once you have the data in the dump format, this may be easy to parse, or
>>>>> else it may be better to read it using Heimdal tools somehow.
>>>> The dump format looks trivial to parse, but I don't know yet which
>>>> field is the arcfour-hmac-md5 hash or what the other hashes are and
>>>> whether or not they're needed.
>>> Heimdal dump format is documented here:
>>> http://www.h5l.org/manual/HEAD/krb5/krb5_fileformats.html
>> Thanks, but it's actually the "kdb5_util load_dump version 4" format
>> that I need the documentation for.  This is what I get when I dump the
>> MIT Kerberos database on OS X.  I suppose I should just load that into
>> Heimdal and then dump it so I can make use of the link above :)
> You can dump the database directly and load it into Heimdal
> http://www.h5l.org/manual/HEAD/info/heimdal/Migration.html#Migration
> 10 Migration
> 10.1 Migration from MIT Kerberos to Heimdal
> hpropd can read MIT Kerberos dump, the format is the same as used in mit-kerberos 1.0b7, and to dump that format use the following command: `kdb5_util dump -b7'.
> To load the MIT Kerberos dump file, use the following command:
> `/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin'

Yes, thanks, I saw that, but according to Andrew I should put the
hashes into Samba4's LDAP instead of into Heimdal's database (unless I
misunderstood him.)  So in theory all I need to know is which field in
the kdb5_util dump format is the arcfour-hmac-md5 hash and import that
into Samba's LDAP directory (after creating the user account objects).

I haven't tried very hard yet to figure out which hash is which and I
don't know yet whether or not I'll need any of the other hashes.  I
will try again to find out which is the arcfour-hmac-md5 hash in the
MIT dump and see if I can import it successfully.  If I can't find out
which is the right hash, I'll load it into a Heimdal database and dump
it again and then use your documentation to find which is the right
hash to import into Samba.

This may or may not be the most efficient way of doing things, but I
think it will work.  If you have a better suggestion I would
appreciate hearing it, but otherwise I'll try it out when I get a
chance and ask more questions or report success when I've done so.

Thanks for your help :)

Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list