How to import passwords to Heimdal?
esiotrot at gmail.com
Thu Nov 17 05:10:24 MST 2011
On 15 November 2011 16:36, Steve Gaarder <gaarder1 at math.cornell.edu> wrote:
> We currently have an MIT KDC set up to serve Linux and Mac; I'd like to use
> Samba4 to add Windows machines to the mix. To do this, I need to be able to
> import passwords from MIT to Samba4. Importing from MIT to Heimdal seems
> doable, but it appears that the necessary interfaces are missing from
> Samba's Heimdal implementation. WHat would it take to make this possible?
This is how I migrated accounts from OpenDirectory on a Mac to Samba4.
There were no machines joined to the domain or anything like that and
it did not matter what UID/GID the users had, so it was pretty much
just a matter of creating the accounts in Samba and then moving the
password hashes over. Here's basically how I did it:
1.) Dump the data out of the MIT Kerberos.
2.) Import into plain Heimdal.
See the following for the above two steps:
3.) Dump it from Heimdal again.
I can't remember for sure if this is what I did. I think I might have
just used hprop ... --stdout >accounts.txt and then converted the
accounts.txt to an LDIF file.
4.) Write a script to convert the Heimdal dump file into an LDIF file
containing the users and their unicodePwd hashes (just the
arcfour-hmac-md5 hashes from the dump file).
This is basically just a matter of extracting the username and the
right encrypted field from the Heimdal dump file. The unicodePwd
field must be encoded as per this document:
except, where it says "UNICODE", read it as utf-16-le.
The Python code to encode it correctly in the LDIF is as follows:
('"%s"' % password).encode("utf-16-le")
5.) Use Samba4's ldbadd to add the accounts to Samba:
ldbadd -H $targetdir/private/sam.ldb --nosync --verbose \
--controls=relax:0 --controls=local_oid:22.214.171.124.4.1.7126.96.36.199:0 \
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical