How to import passwords to Heimdal?

Steve Gaarder gaarder1 at
Tue Nov 29 14:01:09 MST 2011

I believe I have figured it out.  MIT does not seem to have a way to dump 
unencrypted passwords, so I needed to use Heimdal tools (tho not a Heimdal 
KDC) to decrypt them.  Then I turned it into base64 and used ldapmodify to 
insert it.  Here are the steps:

1.  Export the principal(s) from MIT with -b7 format.  I use mkey-convert
     to use a different encryption password from my master password.

2.  On a machine with Heimdal installed, use ktutil to create a key file
     with the same password that was used in step 1, encoded with the same
     enctype as the MIT server's default.

3.  Remove any type 8 keys from the MIT file, since hprop chokes on them. 
There's info about the format of MIT dump files in the comments
in the perl script on this page:

4.  Use hprop and hpropd to decrypt and convert the keys:

hprop --database=THEDUMPFILE --source=mit-dump --decrypt \
--master-key=THEKEYFILE  --stdout| hpropd -n --print

5. The type 23 keys are now 32 hex digits (16 bytes).  This piece of
     Python turns them into base64 encoded:

b = base64.b64encode(h.decode("hex"))

6.  Then put it into an LDIF file that looks like this:

changetype: modify
replace: unicodePwd

Note the double colon after unicodePwd - it signals that the data is base 64.

7.  Then use ldbmodify to import the data:

ldbmodify -H 
/usr/local/samba/private/sam.ldb.d/DC\=XXXX\,DC\=XXXX\,DC\=XXXX.ldb --nosync --verbose  --controls=relax:0 LDIFFILE.ldif

Two of the controls in Andrew's example (the ones with OIDs) were rejected by 
ldbmodify so I removed them.  Where is there info on what they do?

Now I just need to create scripts to do all this automagically.

And one question:  do I need to do something to tell Samba that the password 
has been changed?


Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaarder at

More information about the samba-technical mailing list