[Samba] Migrating kerberos KDC data into Samba4 internal KDC

Andrew Bartlett abartlet at samba.org
Sat Jan 5 18:59:18 MST 2013

On Fri, 2013-01-04 at 16:50 -0600, John Perkins wrote:
> Is there a mechanism migrate/import user principal information from an 
> MIT KDC into a Samba4 internal KDC?
> We currently run our Active Directory users with Account Mappings that 
> utilize a cross-realm trust between our MIT KDC (where user principals 
> are maintained) and the Active Directory domain, as documented at 
> *http://tinyurl.com/bx9znca*  This works fine for our Windows clients, 
> but it does cause some headaches for software and some clients that 
> expect to find username/password information in Active Directory.
> Using the MIT KDC as the KDC for the Samba4 ADS controller would be 
> fine, or some mechanism to sync user principal information between the 
> KDCs should do what I'm looking for.  Unfortunately, I'm not certain 
> this functionality is feasible or even possible.

Currently we don't have the import code finished here, but there are
ways to make this work.  Particularly for a case with mapping to an
existing AD DC, it is going to be a bit custom.

If you don't mind restricting yourself to the arcfour-hmac-md5
encryption type, then extracting that key, then importing it into the
unicodePwd attribute (with the right magic controls) won't be too

There is a magic control you can specify to the python ldb bindings to
set a particular password or you can do it via passdb using the python
interface.  See source4/scripting/python/samba/upgrade.py for some
inspiration, particularly the last part where the admin pw is forced. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list