Migrating from Apple OpenDirectory?

Andrew Bartlett abartlet at samba.org
Fri May 21 17:23:11 MDT 2010

On Fri, 2010-05-21 at 17:44 +0200, Michael Wood wrote:
> In case you've forgotten, I'm trying to get some users out of Open
> Directory into Samba4 for authentication purposes.
> On 20 April 2010 04:54, Andrew Bartlett <abartlet at samba.org> wrote:
> [...]
> > Honestly, I'm not sure.  You would need to write up a python script (I
> > think) that would first import the users from the OpenDirectory
> > (perserving their SIDs), and then extract the 'arcfour-hmac-md5' (type
> > 23) key and set it into the unicodePwd attribute in Samba4's LDAP
> > server.
> >
> > Once you have the data in the dump format, this may be easy to parse, or
> > else it may be better to read it using Heimdal tools somehow.
> OK, I had some trouble with the stash file from the OS X box, but I
> now have a dump file in the Heimdal dump format, so I can get at the
> arcfour-hmac-md5 keys.  Do I just shove those into the unicodePwd
> attribute?

Yes, as a 16 byte array (not hex encoded or anything, just raw in LDAP -
you may need to base64 them if putting them in via LDIF). 

> What about the other keys?  There are two des-hmac-crc (type 1) keys
> and a 3des-hmac-sha1 (type 16) key for each principal too.  Should I
> just ignore those?

I would, yes.  Clients and servers that can't use the arcfour-hmac-md5
keys are pretty rare these days.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100522/a711747e/attachment.pgp>

More information about the samba-technical mailing list