How to import passwords to Heimdal?
gaarder1 at math.cornell.edu
Tue Nov 29 14:01:09 MST 2011
I believe I have figured it out. MIT does not seem to have a way to dump
unencrypted passwords, so I needed to use Heimdal tools (tho not a Heimdal
KDC) to decrypt them. Then I turned it into base64 and used ldapmodify to
insert it. Here are the steps:
1. Export the principal(s) from MIT with -b7 format. I use mkey-convert
to use a different encryption password from my master password.
2. On a machine with Heimdal installed, use ktutil to create a key file
with the same password that was used in step 1, encoded with the same
enctype as the MIT server's default.
3. Remove any type 8 keys from the MIT file, since hprop chokes on them.
There's info about the format of MIT dump files in the comments
in the perl script on this page:
4. Use hprop and hpropd to decrypt and convert the keys:
hprop --database=THEDUMPFILE --source=mit-dump --decrypt \
--master-key=THEKEYFILE --stdout| hpropd -n --print
5. The type 23 keys are now 32 hex digits (16 bytes). This piece of
Python turns them into base64 encoded:
h = HEXSTRING
b = base64.b64encode(h.decode("hex"))
6. Then put it into an LDIF file that looks like this:
Note the double colon after unicodePwd - it signals that the data is base 64.
7. Then use ldbmodify to import the data:
/usr/local/samba/private/sam.ldb.d/DC\=XXXX\,DC\=XXXX\,DC\=XXXX.ldb --nosync --verbose --controls=relax:0 LDIFFILE.ldif
Two of the controls in Andrew's example (the ones with OIDs) were rejected by
ldbmodify so I removed them. Where is there info on what they do?
Now I just need to create scripts to do all this automagically.
And one question: do I need to do something to tell Samba that the password
has been changed?
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaarder at math.cornell.edu
More information about the samba-technical