[Samba] Editing user password hashes

Andrew Bartlett abartlet at samba.org
Mon Aug 21 02:38:52 UTC 2023

On Mon, 2023-08-21 at 10:08 +0800, Reese Wang via samba wrote:
> Hi all. I'm migrating from a small OpenLDAP setup and currently
> haveusers' password hashes in {SSHA} and {CRYPT}$5$.16s format.Can I
> just ldbedit or ldbmodify user's supplementalCredentials fieldsin
> /var/lib/samba/private/sam.ldb.d/DC%3DAD%2CDC%3DEXAMPLE%2CDC%3DCOM.ld
> bto migrate passwords?
> Provided that I could get the data structure right.
> (Documentationsabout supplementalCredentials should be here I think
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/84cefe3e-a688-4232-b997-ac5d9993f5eb)I
> have "ntlm auth = disabled" in smb.conf so I think not having NThash
> is not a problem.

No, currently Samba does not support importing crypt() format password
hashes.  We always require either the NT hash or the Kerberos hashes. 
It would be a nice feature, to be able to start with that imported
crypt() hash (or indeed the NT hash) and populate the other values on
the first LDAP simple bind, but such imports are rare enough that such
a migration has never been implemented.
(Also, only non-AD clients do LDAP simple binds, real AD clients use
Kerberos which can't work against the crypt() hash). 
Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead                https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list