[Samba] a way to migrate pasword from Samba 4.0 AD DC to new AD DC?

Kees van Vloten keesvanvloten at gmail.com
Wed Aug 14 10:43:57 UTC 2024


On 14-08-2024 12:35, Rowland Penny via samba wrote:
> On Wed, 14 Aug 2024 12:24:12 +0200
> Franta Hanzlik via samba <samba at lists.samba.org> wrote:
>
>> Dne 2024.08.14 10:16, Rowland Penny via samba wrote:
>>> On Wed, 14 Aug 2024 05:56:22 +0200
>>> Franta Hanzlík via samba <samba at lists.samba.org> wrote:
>>>
>>>> Please, is there any way to migrate passwords from old Samba 4.0
>>>> Ad DC to new (Samba 4.20) one?
>>> Yes, add another DC, but you will probably have to do it in stages,
>>> Samba 4.0.x went EOL 9 years ago. I think you would have to upgrade
>>> to 4.5.x then 4.20.x
>> The new AD domain name will be different than it is on the old 4.0 DC,
>> so I'd rather start with a clean install.
>> I'm not an AD guru and I'm afraid of problems ;)
> Then I suggest you start totally fresh and add your users & groups from
> a CSV file or similar, give your users a temporary password and make
> them change them at first login. You are going to have to make the
> clients leave the 'old' domain and then join the 'new' domain, whatever
> you do.
>
>>>> On ldbsearch export on old AD only related item I see is
>>>> 'unicodePwd' attribute, and it is maybe possible write to new
>>>> system using ldbmodify
>>>>   - but it is right and simplest solution?
>>> No it isn't right and it isn't simple. The password you get back if
>>> you ask for the contents of the unicodePwd isn't the password, it
>>> is the 64bit encoding of the password, which doesn't seem to be
>>> reversible. You also cannot just write a password to the unicodePwd
>>> attribute, it has to be encoded in a precise way and written over
>>> SSL.
>> I meant using ldbmodify to write directly the base64 string obtained
>> from the old DC, directly on the AD DC machine. This would work
>> without TLS and even without Samba running, and it should be possible
>> to write just about anything, any value, to the attribute. Or am I
>> mistaken?
> You need to hash the password (which also means you need to known it)
> before writing it to AD, you need to know exactly how to do this.
>
>   
>>>> And one more question - why don't I get any result from the command
>>>> (on 4.20 AD DC, provisioned with --plaintext-secrets):
>>>>
>>>> # samba-tool user getpassword testusr
>>>> --attributes=unicodePwd,virtualClearTextUTF16,virtualClearTextUTF8
>>>> on: CN=testusr,OU=users,DC=ad,DC=my,DC=home unicodePwd::
>>>> CkODmLSx+ZaJO/qHDQibNw== Got password OK
>>>>
>>>> Why are the virtualClearTextUTF16 and virtualClearTextUTF8 values
>>>> ​​ missing and how do I make them exist?
>>>> Does using the 'samba-tool user syncpasswords' command have
>>>> anything to do with this?
>>> Have you actually set them ?
>> Do I have to set them myself?
>> By what?
>> There is no option here for Samba to do this itself?
>> Isn't it initiated by the 'samba-tool user syncpasswords' command?
> I have never used that command, but from my understanding, it is used
> to sync AD passwords to an external ldap server e.g. Openldap

Read this: 
https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP

It is in French but google-translate does a good job to get it to English.

- Kees.

>
>>> Why do you need plaintext passwords ?
>> Some authentication mechanisms require a cleartext password on the
>> server side.
> What mechanism ?
> Could it use kerberos instead, or authenticate via ldap from AD ?
>
> Rowland
>



More information about the samba mailing list