How to import passwords to Heimdal?
Michael Wood
esiotrot at gmail.com
Thu Nov 17 05:10:24 MST 2011
Hi
On 15 November 2011 16:36, Steve Gaarder <gaarder1 at math.cornell.edu> wrote:
> We currently have an MIT KDC set up to serve Linux and Mac; I'd like to use
> Samba4 to add Windows machines to the mix. To do this, I need to be able to
> import passwords from MIT to Samba4. Importing from MIT to Heimdal seems
> doable, but it appears that the necessary interfaces are missing from
> Samba's Heimdal implementation. WHat would it take to make this possible?
This is how I migrated accounts from OpenDirectory on a Mac to Samba4.
There were no machines joined to the domain or anything like that and
it did not matter what UID/GID the users had, so it was pretty much
just a matter of creating the accounts in Samba and then moving the
password hashes over. Here's basically how I did it:
1.) Dump the data out of the MIT Kerberos.
2.) Import into plain Heimdal.
See the following for the above two steps:
http://www.h5l.org/manual/heimdal-1-5-branch/info/heimdal/Migration.html#Migration
3.) Dump it from Heimdal again.
I can't remember for sure if this is what I did. I think I might have
just used hprop ... --stdout >accounts.txt and then converted the
accounts.txt to an LDIF file.
4.) Write a script to convert the Heimdal dump file into an LDIF file
containing the users and their unicodePwd hashes (just the
arcfour-hmac-md5 hashes from the dump file).
This is basically just a matter of extracting the username and the
right encrypted field from the Heimdal dump file. The unicodePwd
field must be encoded as per this document:
http://support.microsoft.com/kb/269190
except, where it says "UNICODE", read it as utf-16-le.
The Python code to encode it correctly in the LDIF is as follows:
('"%s"' % password).encode("utf-16-le")
5.) Use Samba4's ldbadd to add the accounts to Samba:
ldbadd -H $targetdir/private/sam.ldb --nosync --verbose \
--controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0 \
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 accounts.ldif
Good luck.
--
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical
mailing list