Dear all, is it possible to migrate from an existing MIT kerberos / openldap setup to samba AD? We can re-create the accounts through a script, but it would be nice to be able to keep passwords for users and machine accounts / keytabs which are in our existing KDC. Thanks for any insights, Christian
Andrew Bartlett
2018-Aug-31 19:34 UTC
[Samba] migrate from existing MIT kerberos / openldap
On Fri, 2018-08-31 at 15:50 +0200, Christian via samba wrote:> Dear all, > > is it possible to migrate from an existing MIT kerberos / openldap > setup > to samba AD? We can re-create the accounts through a script, but it > would be nice to be able to keep passwords for users and machine > accounts / keytabs which are in our existing KDC. Thanks for any > insights, > > ChristianI think someone has done it before, for the arcfour-hmac-md5 keys. Those are the easiest to do, because you can extract them and then force them into the unicodePwd attribute. Have a good study of how the classicupgrade code works and the magic control to allow you to set the backend password attributes directly. /* * this should only be used for importing users from Samba3 */ #define DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID "1.3.6.1.4.1.7165.4.3.12" Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Maybe Matching Threads
- Samba 4 DC - no AES kerberos tickets - only arcfour
- Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
- Samba 4 DC - no AES kerberos tickets - only arcfour
- Samba 4 account with a 'ldbmodify-ed' password does not login into domain from a Windows 7 VM
- Migrating kerberos KDC data into Samba4 internal KDC