How to import passwords to Heimdal?

Andrew Bartlett abartlet at
Fri Nov 18 01:00:27 MST 2011

On Fri, 2011-11-18 at 09:17 +0200, Michael Wood wrote:
> Hi
> On 17 November 2011 23:44, Steve Gaarder <gaarder at> wrote:
> > THanks - this is helpful.  I have a couple questions:
> >
> > 1.  In the Heimdall dump file, I see several arcfour-hmac-md5 (type 23)
> >   hashes for my test user; they appear to have different salts.  I assume
> >   I should use the one with the default ("-") salt, correct?
> Sorry, I can't remember off hand, but it seems likely.

arcfour-hmac-md5 passwords are unsalted, so it doesn't matter.

> > 2. THe password in the dump file is in hex.  WHat do I need to do to it
> > before passing it to the ('"%s"' % password).encode("utf-16-le") operation?
> As far as I remember you should do the following before encoding it as above:
> password = hexpass.decode("hex")

That looks reasonable.  The arcfour-hmac-md5 hash is a 16 byte value,
and the unicodePwd is exactly that 16 byte value.  The extra control you
need to set (to store it directly) is
attach that as a control with no data). 

This will only migrate one kerberos hash, but this is also the most
common one, so it may not matter. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list