Setting unicodePwd hashes directly

Lukasz Zalewski lukas at
Tue Aug 24 10:01:23 MDT 2010

On 08/24/2010 04:44 PM, Matthias Dieter Wallnöfer wrote:
> Hi Michael,
> it's not encouraged to set NT hashes by bypassing the "password_hash"
> module this way - better use metze's new control "bypass_password_hash".
> I personally don't exactly know how to use/set it but he should be able
> to explain it to you.
> Matthias
I'm pretty sure its:
$targetdir/bin/ldbadd -H $targetdir/private/sam.ldb --nosync --verbose 
--controls=relax:0 --controls=local_oid: 
--controls=local_oid: myldif.ldif

Metze will be able to confirm if that is the case

> Michael Wood wrote:
>> Hi
>> When migrating users from e.g. Apple Open Directory one can get the
>> arcfour-hmac-md5 hashes and shove them into Samba's directory. When I
>> did this a couple of months ago I could just use
>> ldbadd/ldbmodify/ldbedit to add the hashes and I believe I just used
>> /usr/local/samba/private/sam.ldb as the path to connect to.
>> Now when I try that, I get an error saying that I can't set unicodePwd
>> directly:
>> # ldbedit -H /usr/local/samba/private/sam.ldb CN=Administrator unicodePwd
>> failed to modify CN=Administrator,CN=Users,DC=example,DC=com -
>> setup_io: it's not allowed to set the NT hash password directly'
>> # 0 adds 0 modifies 0 deletes
>> If I connect to sam.ldb.d/DC=EXAMPLE,DC=COM.ldb instead, then it seems
>> to work:
>> # ldbedit -H /usr/local/samba/private/sam.ldb.d/DC\=EXAMPLE\,DC\=COM.ldb
>> CN=Administrator unicodePwd
>> # 0 adds 1 modifies 0 deletes
>> Is this an acceptable workaround? Or could it break things to use the
>> second method? Is there a better way to set these hashes directly?

More information about the samba-technical mailing list