Setting unicodePwd hashes directly

Michael Wood esiotrot at
Tue Aug 24 02:40:18 MDT 2010


When migrating users from e.g. Apple Open Directory one can get the
arcfour-hmac-md5 hashes and shove them into Samba's directory.  When I
did this a couple of months ago I could just use
ldbadd/ldbmodify/ldbedit to add the hashes and I believe I just used
/usr/local/samba/private/sam.ldb as the path to connect to.

Now when I try that, I get an error saying that I can't set unicodePwd directly:

# ldbedit -H /usr/local/samba/private/sam.ldb CN=Administrator unicodePwd
failed to modify CN=Administrator,CN=Users,DC=example,DC=com -
setup_io: it's not allowed to set the NT hash password directly'
# 0 adds  0 modifies  0 deletes

If I connect to sam.ldb.d/DC=EXAMPLE,DC=COM.ldb instead, then it seems to work:

# ldbedit -H /usr/local/samba/private/sam.ldb.d/DC\=EXAMPLE\,DC\=COM.ldb
CN=Administrator unicodePwd
# 0 adds  1 modifies  0 deletes

Is this an acceptable workaround?  Or could it break things to use the
second method?  Is there a better way to set these hashes directly?

Michael Wood <esiotrot at>

More information about the samba-technical mailing list