[Samba] Editing user password hashes
Andrew Bartlett
abartlet at samba.org
Mon Aug 21 02:38:52 UTC 2023
On Mon, 2023-08-21 at 10:08 +0800, Reese Wang via samba wrote:
> Hi all. I'm migrating from a small OpenLDAP setup and currently
> haveusers' password hashes in {SSHA} and {CRYPT}$5$.16s format.Can I
> just ldbedit or ldbmodify user's supplementalCredentials fieldsin
> /var/lib/samba/private/sam.ldb.d/DC%3DAD%2CDC%3DEXAMPLE%2CDC%3DCOM.ld
> bto migrate passwords?
> Provided that I could get the data structure right.
> (Documentationsabout supplementalCredentials should be here I think
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/84cefe3e-a688-4232-b997-ac5d9993f5eb)I
> have "ntlm auth = disabled" in smb.conf so I think not having NThash
> is not a problem.
No, currently Samba does not support importing crypt() format password
hashes. We always require either the NT hash or the Kerberos hashes.
It would be a nice feature, to be able to start with that imported
crypt() hash (or indeed the NT hash) and populate the other values on
the first LDAP simple bind, but such imports are rare enough that such
a migration has never been implemented.
(Also, only non-AD clients do LDAP simple binds, real AD clients use
Kerberos which can't work against the crypt() hash).
Sorry!
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list