[Samba] How to manage users with encrypted passwords
Andrew Bartlett
abartlet at samba.org
Thu Jun 12 19:09:21 MDT 2014
On Thu, 2014-06-12 at 09:52 -0400, Steve Thompson wrote:
> On Thu, 12 Jun 2014, Benjamin Rocton wrote:
>
> > Yes, but I do not have the passwords in clear text in the LDAP. I can only
> > have the encrypted password. And it does not seem that we can use samba-tool
> > with an encrypted password?
>
> If you have the sambaNTPassword value from Samba3's LDAP database, you can
> migrate that to the unicodePW field in Samba4's LDAP database by
> converting it with this short Python script:
>
> #!/usr/bin/env python
> import base64
> import binascii
> import sys
> ldap_samba_nt_password = sys.argv[1]
> b64_hash = base64.b64encode(binascii.a2b_hex(ldap_samba_nt_password))
> print b64_hash
>
> which takes sambaNTPassword as an argument and prints unicodePwd on
> standard out. Write that to Samba4 with ldbmodify:
>
> # ldbmodify -H /whatever/private/sam/ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 << EOF
> dn: CN=$name,CN=Users,DC=....
> changetype: modify
> replace: unicodePwd
> unicodePwd:: <value from python script>
> -
>
> EOF
>
> I used this technique for about 2000 users with no problems.
Indeed, this is essentially the correct approach. I would love to see
the classicupgrade tool refined to have a --resync mode for this kind of
thing. We could even check the password last set time to determine
which password is 'correct'.
In the meantime, doing something like this is the right appraoch.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list