[Samba] How to manage users with encrypted passwords

Andrew Bartlett abartlet at samba.org
Thu Jun 12 19:09:21 MDT 2014

On Thu, 2014-06-12 at 09:52 -0400, Steve Thompson wrote:
> On Thu, 12 Jun 2014, Benjamin Rocton wrote:
> > Yes, but I do not have the passwords in clear text in the LDAP. I can only 
> > have the encrypted password. And it does not seem that we can use samba-tool 
> > with an encrypted password?
> If you have the sambaNTPassword value from Samba3's LDAP database, you can 
> migrate that to the unicodePW field in Samba4's LDAP database by 
> converting it with this short Python script:
>  	#!/usr/bin/env python
>  	import base64
>  	import binascii
>  	import sys
>  	ldap_samba_nt_password = sys.argv[1]
>  	b64_hash = base64.b64encode(binascii.a2b_hex(ldap_samba_nt_password))
>  	print b64_hash
> which takes sambaNTPassword as an argument and prints unicodePwd on
> standard out. Write that to Samba4 with ldbmodify:
>  	# ldbmodify -H /whatever/private/sam/ldb --controls=local_oid: << EOF
>  	dn: CN=$name,CN=Users,DC=....
>  	changetype: modify
>  	replace: unicodePwd
>  	unicodePwd:: <value from python script>
>  	-
>  	EOF
> I used this technique for about 2000 users with no problems.

Indeed, this is essentially the correct approach.  I would love to see
the classicupgrade tool refined to have a --resync mode for this kind of
thing.  We could even check the password last set time to determine
which password is 'correct'.

In the meantime, doing something like this is the right appraoch.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list