How to import passwords to Heimdal?

Jelmer Vernooij jelmer at
Thu Dec 8 09:24:30 MST 2011

Hi Steve,

Am 08/12/11 17:07, schrieb Steve Gaarder:
> I have created a procedure and a couple Python scripts to synchronize 
> a password from an MIT KDC to a Samba4 domain controller.  The 
> procedure is below, the scripts are attached, and everything is also 
> here:
> Note that this assumes that the user already exists in Samba, and that 
> the CN of the user is the same as the username. (If you create the 
> user with samba-tool and specify a surname, you should use the 
> --use-username-as-cn option.)
> Step 1 - export the user from MIT:
> On the MIT KDC, use kdb5_util to dump the user's key data. Use the -b7 
> dump format option. E.g.:
> Step 2 - transfer the dump file to the Samba domain controller via 
> your preferred method.
> Step 3 - remove unneeded keys
> A Kerberos principal's key may be encoded in several different ways. 
> The only one Samba needs is arcfour-hmac-md5 (type 23), and the 
> conversion code may choke on other types. The Python script 
> will remove all but the first type 23 key; use it thus:
> python < >USERNAME.mitdump
> Step 4 - decrypt and convert the dump to Heimdal format
> The MIT tools do not provide a way to get an unencrypted key, so we 
> have to convert to Heimdal format to decrypt it. This step and the 
> next one can be done with one script - see below.
> Step 5 - extract the key, convert it to base64, and put it in the 
> Samba database
> Step 4 and this step can be done with the script This 
> script requires the Heimdal tools hprop and hpropd and copy of the key 
> that was used to encrypt the dump. This key is the same as the MIT 
> master key (unless you used the -mkey_convert option when you made the 
> dump) and needs to be in keytab format (older MIT "stash" format will 
> not work). Heimdal's ktutil can be used to create the key; make sure 
> that the enctype is the same. Run this script (as root) thus:
> python USERNAME.mitdump

That's great! It would be nice to include this in Samba, for other 
people that want to do this. It should probably be possible to automate 
more parts of this process, too.

For example, there is a python module for Kerberos, which should be 
usable to extra the user data directly, and we have an ldb Python module 
which can be used instead of calling out to ldbmodify. If you're 
interested in working on this and getting it included upstream, I'd be 
happy to give more pointers.



More information about the samba-technical mailing list