Syncning passwords from MIT Kerberos to Samba 3?

simo idra at
Thu Dec 8 10:18:04 MST 2011

On Thu, 2011-12-08 at 11:30 -0500, Steve Gaarder wrote: 
> In the process of figuring out how to import passwords from MIT Kerberos 
> to Samba4's Heimdal, I learned that the arcfour-hmac-md5 kerberos key is 
> the same as the Windows NT password hash.  So it would seem that I can 
> just decrypt and extract that key and put it in the smbpassswd file or 
> tdbsam database.  I tried it and it seems to work.  Of course, there is no 
> valid LANMAN password, but that's not an issue since I don't have any old 
> clients.  Are there any other gotchas?

Nope, they are indeed the same, and arcfour-hmac-md5 enctype was indeed
introduced by Ms in order to allow upgrades from NT4 to Win2000 without
loss of access due to missing credentials.


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Principal Software Engineer at Red Hat, Inc. <simo at>

More information about the samba-technical mailing list