[Samba] Obtaining password hash from kerberos ?

Rowland Penny rowlandpenny241155 at gmail.com
Sat Sep 26 13:09:01 UTC 2015

On 26/09/15 12:01, Guy-Laurent Subri wrote:
> Hi!
>> How is samba set up ?
> Samba was set up automatically. It was already installed on a linux
> distro called Zentyal. It's a Samba 4 AD DC install.
>> What versions of Samba?
> The output of 'samba -V' is : Version 4.1.17-Zentyal.
>> When you say 'LDAP' do you mean 'LDAP' or the 'LDAP' built into a 
>> Samba4 DC?
> I want to merge two built-in LDAP of Samba4 into another LDAP which will
> not be a built-in LDAP, but one I set up on my own.

The LDAP built into an AD DC is not the same as OPENLDAP and as such you 
cannot directly use info from one with the other i.e. whilst either will 
produce an ldif dump, you cannot use that ldif with the other.

>> When you say 'kerberos' do you mean a standalone kerberos or the
>> kerberos built into a Samba4 DC?
> I mean the built-in kerberos

You cannot obtain a clear version of any passwords stored in AD, you can 
only obtain the hashed password and then only on the Samba4 AD DC. You 
also cannot get any passwords from kerberos, it doesn't actually use them!

> I thought that I found a solution: using kdb5-util I could have copied
> the kerberos database and merge it in another, but it is not installed
> and if I try to install it, it will remove parts of Zentyal, which I
> need.

Have a look here: 

This may help you with what you are trying to do


> Thank you for your time,
> P.S. is my problem clear or should I try to explain it in another way ?

P.S. Yes it is clear, it is clear you don't really know what you are 
doing, I would suggest that you do a lot more reading, the Samba wiki is 
a good place to start. :-)

> Guy-Laurent Subri

More information about the samba mailing list