[Samba] Migrating kerberos KDC data into Samba4 internal KDC
abartlet at samba.org
Sat Jan 5 18:59:18 MST 2013
On Fri, 2013-01-04 at 16:50 -0600, John Perkins wrote:
> Is there a mechanism migrate/import user principal information from an
> MIT KDC into a Samba4 internal KDC?
> We currently run our Active Directory users with Account Mappings that
> utilize a cross-realm trust between our MIT KDC (where user principals
> are maintained) and the Active Directory domain, as documented at
> *http://tinyurl.com/bx9znca* This works fine for our Windows clients,
> but it does cause some headaches for software and some clients that
> expect to find username/password information in Active Directory.
> Using the MIT KDC as the KDC for the Samba4 ADS controller would be
> fine, or some mechanism to sync user principal information between the
> KDCs should do what I'm looking for. Unfortunately, I'm not certain
> this functionality is feasible or even possible.
Currently we don't have the import code finished here, but there are
ways to make this work. Particularly for a case with mapping to an
existing AD DC, it is going to be a bit custom.
If you don't mind restricting yourself to the arcfour-hmac-md5
encryption type, then extracting that key, then importing it into the
unicodePwd attribute (with the right magic controls) won't be too
There is a magic control you can specify to the python ldb bindings to
set a particular password or you can do it via passdb using the python
interface. See source4/scripting/python/samba/upgrade.py for some
inspiration, particularly the last part where the admin pw is forced.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba