On Mon, 2023-08-21 at 10:08 +0800, Reese Wang via samba
wrote:> Hi all. I'm migrating from a small OpenLDAP setup and currently
> haveusers' password hashes in {SSHA} and {CRYPT}$5$.16s format.Can I
> just ldbedit or ldbmodify user's supplementalCredentials fieldsin
> /var/lib/samba/private/sam.ldb.d/DC%3DAD%2CDC%3DEXAMPLE%2CDC%3DCOM.ld
> bto migrate passwords?
> Provided that I could get the data structure right.
> (Documentationsabout supplementalCredentials should be here I think
>
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/84cefe3e-a688-4232-b997-ac5d9993f5eb)I
> have "ntlm auth = disabled" in smb.conf so I think not having
NThash
> is not a problem.
No, currently Samba does not support importing crypt() format password
hashes. We always require either the NT hash or the Kerberos hashes.
It would be a nice feature, to be able to start with that imported
crypt() hash (or indeed the NT hash) and populate the other values on
the first LDAP simple bind, but such imports are rare enough that such
a migration has never been implemented.
(Also, only non-AD clients do LDAP simple binds, real AD clients use
Kerberos which can't work against the crypt() hash).
Sorry!
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member
(since 2001) https://samba.orgSamba Team Lead
https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions