How to import passwords to Heimdal?
Andrew Bartlett
abartlet at samba.org
Tue Nov 29 17:24:30 MST 2011
On Tue, 2011-11-29 at 16:01 -0500, Steve Gaarder wrote:
> I believe I have figured it out. MIT does not seem to have a way to dump
> unencrypted passwords, so I needed to use Heimdal tools (tho not a Heimdal
> KDC) to decrypt them. Then I turned it into base64 and used ldapmodify to
> insert it. Here are the steps:
>
> 1. Export the principal(s) from MIT with -b7 format. I use mkey-convert
> to use a different encryption password from my master password.
>
> 2. On a machine with Heimdal installed, use ktutil to create a key file
> with the same password that was used in step 1, encoded with the same
> enctype as the MIT server's default.
>
> 3. Remove any type 8 keys from the MIT file, since hprop chokes on them.
> There's info about the format of MIT dump files in the comments
> in the perl script on this page:
>
> https://mountcup.de/tiki/tiki-index.php?page=mibe-kerberos-heimdal-2-mit
>
> 4. Use hprop and hpropd to decrypt and convert the keys:
>
> hprop --database=THEDUMPFILE --source=mit-dump --decrypt \
> --master-key=THEKEYFILE --stdout| hpropd -n --print
>
> 5. The type 23 keys are now 32 hex digits (16 bytes). This piece of
> Python turns them into base64 encoded:
>
> h = HEXSTRING
> b = base64.b64encode(h.decode("hex"))
>
> 6. Then put it into an LDIF file that looks like this:
>
> dn: CN=XXXX,CN=Users,DC=XXXX,DC=XXXX,DC=XXXX
> changetype: modify
> replace: unicodePwd
> unicodePwd:: XXXXXXXXXXXXXXXXXXXXXXXX
>
> Note the double colon after unicodePwd - it signals that the data is base 64.
>
> 7. Then use ldbmodify to import the data:
>
> ldbmodify -H
> /usr/local/samba/private/sam.ldb.d/DC\=XXXX\,DC\=XXXX\,DC\=XXXX.ldb --nosync --verbose --controls=relax:0 LDIFFILE.ldif
>
> Two of the controls in Andrew's example (the ones with OIDs) were rejected by
> ldbmodify so I removed them. Where is there info on what they do?
>
> Now I just need to create scripts to do all this automagically.
>
> And one question: do I need to do something to tell Samba that the password
> has been changed?
If all that works, then you are done. I'm working on an alternate
approach, hooking up Heimdal's kadmin so you can get all the keys as if
this was a normal Heimdal DB. (I know I disagreed with this in the
past, but the complexity of what you have needed to do has changed my
mind).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list