[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using active directory keys

Andrew Bartlett <abartlet@samba.org> writes:

> On Sun, 2005-01-16 at 00:11 +1100, Andrew Bartlett wrote:
>> I have code that extracts more than just these keys from AD, but I've
>> not yet fully parsed the structure I'm given.
> I did some more work on this, and it's a false alarm for getting
> everything out of AD.  The structure I get contains more than just the
> current passwords yes, but it's the password history, not Kerberos
> keys :-(
> Oh well, we are working on full Active Directory replication, so this
> should not be too far off, but not quite for now...

Well, until you get DRSUAPI working I got this text below from from Dave
Love to add to the documentation, I've not had time to go over it yet


@node Using Windows keys, Useful links when reading about the Windows 2000, Quirks of Windows 2000 KDC, Windows 2000 compatability
@section Using Windows keys

@cindex Windows password hashes
If you have existing Windows accounts, you might want to transfer
their keys to Heimdal for single sign on via Heimdal without having to
reset passwords.  Dump the Kerberos keys from Active Directory is
apparently only possible with the proprietary replication protocol.
However, if you have it configured for NT-authentication as well as
Kerberos, you can extract and use the NT keys (which are synchronized
with the Kerberos keys), as follows.@footnote{Note that these keys are
weak---they are unsalted---and users should be encouraged to reset
their passwords to replace them with the default key types.}

Use @command{pwdump2} (@pxref{pwdump}) on the Windows controller to
dump the password hashes.  The fourth field in the account records it
outputs is the NT hash.  This is usable in Heimdal as a key of type
@samp{arcfour-hmac-md5}.  The following @command{awk} script will
process the user account records and generate Heimdal dump-format
records which can be imported with @samp{kadmin merge}.  This assumes
that the Heimdal database isn't encrypted with a master key.  Beware:
@emph{importing such records into an encrypted database will corrupt

  realm="EXAMPLE.COM"		# modify this
  time=strftime ("%Y%m%d%k%M%S"); FS=":" @} 
@{if ($1 !~ /\$$/)               # avoid machine accounts
  printf "%s@@%s 1::23:%s:- %s:kadmin/admin@@%s - - - - - - 126 -\n",
    realm, $1, $4, time, realm @}
@end example

If you need to import to an encrypted database, you could do it via a
sacrificial database as follows on a random machine---@strong{not on
your KDC}!  Here @file{m-key} is the master key file from the KDC,
transferred securely to the random machine.
# yes "" | kadmin -l init EXAMPLE.COM
# kadmin -l load dump
# hprop -n -E -m m-key | hpropd -n --print >enc-dump
# kadmin -p ... merge enc-dump
@end example
Note that the first three lines operate on the local database and the
last one contacts the proper KDC.

@node Useful links when reading about the Windows 2000,  , Using Windows keys, Windows 2000 compatability

PGP signature