[Samba] How to manage users with encrypted passwords

Steve Thompson smt at vgersoft.com
Thu Jun 12 07:52:09 MDT 2014

On Thu, 12 Jun 2014, Benjamin Rocton wrote:

> Yes, but I do not have the passwords in clear text in the LDAP. I can only 
> have the encrypted password. And it does not seem that we can use samba-tool 
> with an encrypted password?

If you have the sambaNTPassword value from Samba3's LDAP database, you can 
migrate that to the unicodePW field in Samba4's LDAP database by 
converting it with this short Python script:

 	#!/usr/bin/env python
 	import base64
 	import binascii
 	import sys
 	ldap_samba_nt_password = sys.argv[1]
 	b64_hash = base64.b64encode(binascii.a2b_hex(ldap_samba_nt_password))
 	print b64_hash

which takes sambaNTPassword as an argument and prints unicodePwd on
standard out. Write that to Samba4 with ldbmodify:

 	# ldbmodify -H /whatever/private/sam/ldb --controls=local_oid: << EOF
 	dn: CN=$name,CN=Users,DC=....
 	changetype: modify
 	replace: unicodePwd
 	unicodePwd:: <value from python script>


I used this technique for about 2000 users with no problems.


More information about the samba mailing list