[Samba] Import of exported unicodePwd does not update Kerberos password
Emil.s
emil at sandnabba.se
Mon Dec 2 09:54:38 UTC 2024
Hello,
I'm troubleshooting an old backup script that exports and imports users
from a Samba database using `samba-tool`.
It's implemented so that passwords are exported using "samba-tool user
getpassword {username} --attributes=unicodePwd".
On the import side, an LDIF file is created in the following format:
```
dn: CN={username},OU=Users,DC=example,DC=com
changetype: modify
replace: unicodePwd
unicodePwd:: {unicodePwd_string_here}
```
This file is then applied using `ldbmodify -H
/var/lib/samba/private/sam.ldb
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0`.
However, this no longer seems to work, at least not for Kerberos. I've
found and tried the `--pw-nt-hash` option, but it doesn't make a difference.
After applying the password, I can "login" using "smbclient -L //localhost
-U {username}".
But if I try to issue a Kerberos ticket using "kinit {username}" I get a
"kinit: Password incorrect while getting initial credentials" error.
However, if I generate a new password string and apply it without the
`--controls`, or set a password using "samba-tool user setpassword",
everything works as usual.
Has anything changed here during the last few years? And what would be the
correct way to restore a password that was previously exported using
samba-tool?
Or is there any new or prefered method to create a backup of a user
including the password?
Best regards
Emil Sandnabba
More information about the samba
mailing list