How to import passwords to Heimdal?
jelmer at samba.org
Thu Dec 8 09:24:30 MST 2011
Am 08/12/11 17:07, schrieb Steve Gaarder:
> I have created a procedure and a couple Python scripts to synchronize
> a password from an MIT KDC to a Samba4 domain controller. The
> procedure is below, the scripts are attached, and everything is also
> Note that this assumes that the user already exists in Samba, and that
> the CN of the user is the same as the username. (If you create the
> user with samba-tool and specify a surname, you should use the
> --use-username-as-cn option.)
> Step 1 - export the user from MIT:
> On the MIT KDC, use kdb5_util to dump the user's key data. Use the -b7
> dump format option. E.g.:
> kdb5_util dump -b7 USERNAME.mit USERNAME at REALM.WHATSAMATTAU.EDU
> Step 2 - transfer the dump file to the Samba domain controller via
> your preferred method.
> Step 3 - remove unneeded keys
> A Kerberos principal's key may be encoded in several different ways.
> The only one Samba needs is arcfour-hmac-md5 (type 23), and the
> conversion code may choke on other types. The Python script
> filterdump.py will remove all but the first type 23 key; use it thus:
> python filterdump.py <USERNAME.mit >USERNAME.mitdump
> Step 4 - decrypt and convert the dump to Heimdal format
> The MIT tools do not provide a way to get an unencrypted key, so we
> have to convert to Heimdal format to decrypt it. This step and the
> next one can be done with one script - see below.
> Step 5 - extract the key, convert it to base64, and put it in the
> Samba database
> Step 4 and this step can be done with the script syncdump.py. This
> script requires the Heimdal tools hprop and hpropd and copy of the key
> that was used to encrypt the dump. This key is the same as the MIT
> master key (unless you used the -mkey_convert option when you made the
> dump) and needs to be in keytab format (older MIT "stash" format will
> not work). Heimdal's ktutil can be used to create the key; make sure
> that the enctype is the same. Run this script (as root) thus:
> python syncdump.py USERNAME.mitdump
That's great! It would be nice to include this in Samba, for other
people that want to do this. It should probably be possible to automate
more parts of this process, too.
For example, there is a python module for Kerberos, which should be
usable to extra the user data directly, and we have an ldb Python module
which can be used instead of calling out to ldbmodify. If you're
interested in working on this and getting it included upstream, I'd be
happy to give more pointers.
More information about the samba-technical