How to import passwords to Heimdal?

Andrew Bartlett abartlet at
Tue Nov 15 15:18:34 MST 2011

On Tue, 2011-11-15 at 09:36 -0500, Steve Gaarder wrote:
> We currently have an MIT KDC set up to serve Linux and Mac; I'd like to 
> use Samba4 to add Windows machines to the mix.  To do this, I need to be 
> able to import passwords from MIT to Samba4.  Importing from MIT to 
> Heimdal seems doable, but it appears that the necessary interfaces are 
> missing from Samba's Heimdal implementation.  WHat would it take to make 
> this possible?

Certainly the Samba4's hdb_samba4 could be improved to the stage where
it is a standalone plugin .so and will accept imports using the heimdal
tools.  Others have asked for kadmin to be enabled against Samba4, and
so this would also help that cause.

However, the results of our first migration experiment (samba-tool
domain samba3upgrade) indicate that this may not be the best approach.
Instead, I think we should either have another tool like samba3upgrade,
reading dump files, or extend samba3upgrade to read the kerberos
attributes from LDAP where the kerberos realm has been combined with a
Samba3 domain.

The reason I suggest this approach is that in importing a domain, there
are more choices and checks that need to be done than you might expect,
and these along with the 'provision' are easier to do in python.   

As an example, we probably wish to skip importing the krbtgt user, or
only import the keys (preserving other attributes from Samba's
provision).  By writing a python script we can also automate the
provision (reading the realm from the dump, and then creating the base
set of users and groups), and then apply some reasonably flexible rules
to the import process as we proceed.   

There is already a process by which we can signal that we have filled in
the supplementalCredentials and unicodePwd (by setting a special
control), allowing us to import the keys without knowing the cleartext,
and we can build that structure in python (I can help with that). 

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list