How to import passwords to Heimdal?

Michael Wood esiotrot at
Thu Nov 17 05:10:24 MST 2011


On 15 November 2011 16:36, Steve Gaarder <gaarder1 at> wrote:
> We currently have an MIT KDC set up to serve Linux and Mac; I'd like to use
> Samba4 to add Windows machines to the mix.  To do this, I need to be able to
> import passwords from MIT to Samba4.  Importing from MIT to Heimdal seems
> doable, but it appears that the necessary interfaces are missing from
> Samba's Heimdal implementation.  WHat would it take to make this possible?

This is how I migrated accounts from OpenDirectory on a Mac to Samba4.
 There were no machines joined to the domain or anything like that and
it did not matter what UID/GID the users had, so it was pretty much
just a matter of creating the accounts in Samba and then moving the
password hashes over.  Here's basically how I did it:

1.)  Dump the data out of the MIT Kerberos.
2.)  Import into plain Heimdal.

See the following for the above two steps:

3.)  Dump it from Heimdal again.

I can't remember for sure if this is what I did.  I think I might have
just used hprop ... --stdout >accounts.txt and then converted the
accounts.txt to an LDIF file.

4.)  Write a script to convert the Heimdal dump file into an LDIF file
containing the users and their unicodePwd hashes (just the
arcfour-hmac-md5 hashes from the dump file).

This is basically just a matter of extracting the username and the
right encrypted field from the Heimdal dump file.  The unicodePwd
field must be encoded as per this document:

except, where it says "UNICODE", read it as utf-16-le.

The Python code to encode it correctly in the LDIF is as follows:

('"%s"' % password).encode("utf-16-le")

5.)  Use Samba4's ldbadd to add the accounts to Samba:

ldbadd -H $targetdir/private/sam.ldb --nosync --verbose \
  --controls=relax:0 --controls=local_oid: \
  --controls=local_oid: accounts.ldif

Good luck.

Michael Wood <esiotrot at>

More information about the samba-technical mailing list