Franta Hanzlík
2024-Aug-14 03:56 UTC
[Samba] a way to migrate pasword from Samba 4.0 AD DC to new AD DC?
Please, is there any way to migrate passwords from old Samba 4.0 Ad DC to new (Samba 4.20) one? On ldbsearch export on old AD only related item I see is 'unicodePwd' attribute, and it is maybe possible write to new system using ldbmodify - but it is right and simplest solution? And one more question - why don't I get any result from the command (on 4.20 AD DC, provisioned with --plaintext-secrets): # samba-tool user getpassword testusr --attributes=unicodePwd,virtualClearTextUTF16,virtualClearTextUTF8 on: CN=testusr,OU=users,DC=ad,DC=my,DC=home unicodePwd:: CkODmLSx+ZaJO/qHDQibNw=Got password OK Why are the virtualClearTextUTF16 and virtualClearTextUTF8 values ?? missing and how do I make them exist? Does using the 'samba-tool user syncpasswords' command have anything to do with this? -- Thanks in advance, Franta Hanzl?k
Rowland Penny
2024-Aug-14 08:16 UTC
[Samba] a way to migrate pasword from Samba 4.0 AD DC to new AD DC?
On Wed, 14 Aug 2024 05:56:22 +0200 Franta Hanzl?k via samba <samba at lists.samba.org> wrote:> Please, is there any way to migrate passwords from old Samba 4.0 Ad DC > to new (Samba 4.20) one?Yes, add another DC, but you will probably have to do it in stages, Samba 4.0.x went EOL 9 years ago. I think you would have to upgrade to 4.5.x then 4.20.x> On ldbsearch export on old AD only related item I see is 'unicodePwd' > attribute, and it is maybe possible write to new system using > ldbmodify > - but it is right and simplest solution?No it isn't right and it isn't simple. The password you get back if you ask for the contents of the unicodePwd isn't the password, it is the 64bit encoding of the password, which doesn't seem to be reversible. You also cannot just write a password to the unicodePwd attribute, it has to be encoded in a precise way and written over SSL.> > And one more question - why don't I get any result from the command > (on 4.20 AD DC, provisioned with --plaintext-secrets): > > # samba-tool user getpassword testusr > --attributes=unicodePwd,virtualClearTextUTF16,virtualClearTextUTF8 > on: CN=testusr,OU=users,DC=ad,DC=my,DC=home unicodePwd:: > CkODmLSx+ZaJO/qHDQibNw== Got password OK > > Why are the virtualClearTextUTF16 and virtualClearTextUTF8 values ?? > missing and how do I make them exist? > Does using the 'samba-tool user syncpasswords' command have anything > to do with this?Have you actually set them ? Why do you need plaintext passwords ? Rowland
Reasonably Related Threads
- a way to migrate pasword from Samba 4.0 AD DC to new AD DC?
- a way to migrate pasword from Samba 4.0 AD DC to new AD DC?
- a way to migrate pasword from Samba 4.0 AD DC to new AD DC?
- samba-tool user getpassword --decrypt-samba-gpg
- Dovecot v1.2rc6 deliver to shared folder fails