How to import passwords to Heimdal?
Andrew Bartlett
abartlet at samba.org
Fri Nov 18 01:00:27 MST 2011
On Fri, 2011-11-18 at 09:17 +0200, Michael Wood wrote:
> Hi
>
> On 17 November 2011 23:44, Steve Gaarder <gaarder at math.cornell.edu> wrote:
> > THanks - this is helpful. I have a couple questions:
> >
> > 1. In the Heimdall dump file, I see several arcfour-hmac-md5 (type 23)
> > hashes for my test user; they appear to have different salts. I assume
> > I should use the one with the default ("-") salt, correct?
>
> Sorry, I can't remember off hand, but it seems likely.
arcfour-hmac-md5 passwords are unsalted, so it doesn't matter.
> > 2. THe password in the dump file is in hex. WHat do I need to do to it
> > before passing it to the ('"%s"' % password).encode("utf-16-le") operation?
>
> As far as I remember you should do the following before encoding it as above:
>
> password = hexpass.decode("hex")
That looks reasonable. The arcfour-hmac-md5 hash is a 16 byte value,
and the unicodePwd is exactly that 16 byte value. The extra control you
need to set (to store it directly) is
DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID (1.3.6.1.4.1.7165.4.3.12) (just
attach that as a control with no data).
This will only migrate one kerberos hash, but this is also the most
common one, so it may not matter.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list