[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: password hash

> I have to replicate passwords from an Active Directory to an OpenLDAP Server
> (Heimdal with OpenLDAP backend). The synchronization program resides on the
> Windows server. It works well for the public information and for the samba
> and unix passwords. Now I have to implement the replication for the Heimdal
> passwords.

as far as I know, Active Directory (without Kerberos) has very strange 
idea about storing passwords.

1) there's no visible attribute for reading password (probably, there are 
attributes, but they are unaccessible due to ACLs)

2) You can change password via LDIF import with "unicodePwd" field. that 
is "write only" field where You put clear text password. Search for that 
word at microsoft.com, there are certain conditions to apply for changing 

3) general utility for such operations is "ldifde", you can play with it.

they definetly use some propriate stuff to replicate users across AD 
domain controllers. no LDAP replication will help. no idea yet about 
kerberos + win32 stuff

4) you can use pwdump, pwdump2, pwdump3 for reading NT/LM hashes. even in 
AD case. no idea how to store them back :-(

> How can I compute the Kerberos password hash values (for OpenLDAP) on the
> Windows server?
> Thanks