Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot find kdb5_util executable in Mac OS X 10.11 #4

Open
potatogim opened this issue Dec 17, 2018 · 9 comments
Open

Cannot find kdb5_util executable in Mac OS X 10.11 #4

potatogim opened this issue Dec 17, 2018 · 9 comments

Comments

@potatogim
Copy link

Hello!

I want to dump Kerberos Database with kdb5_util but I cannot find this executable in my Mac OS X 10.11 Server.

How can I dump my Kerberos database?
@potatogim
Copy link
Author

potatogim commented Dec 17, 2018
edited
Loading

Oh, Mac OS X seems to have replaced Kerberos implementation from MIT to Heimdal. I didn't know that.

Could we support enhanced documents for Heimdal?

@Jeija
Copy link
Member

Jeija commented Dec 17, 2018

It should not be an issue if your Apple OD uses Heimdal, but for generating the supplementalCredentials attribute of AD you will most likely have to change this section of the hash conversion code: https://github.com/physcip/od2samba4/blob/master/extract_hashes.py#L31
Not sure what the exact commands are, but you just have to tell hprop to import a Heimdal database instead of an MIT dump.

@potatogim
Copy link
Author

potatogim commented Dec 17, 2018
edited
Loading

It should not be an issue if your Apple OD uses Heimdal, but for generating the supplementalCredentials attribute of AD you will most likely have to change this section of the hash conversion code: https://github.com/physcip/od2samba4/blob/master/extract_hashes.py#L31
Not sure what the exact commands are, but you just have to tell hprop to import a Heimdal database instead of an MIT dump.

@Jeija : hm.. I could not find hprop... I'll look into this further. Thank you.

@mkuron
Copy link
Member

mkuron commented Dec 17, 2018

Please do document the process if you figure out how to export the Kerberos database from Heimdal. We have only used MIT Kerberos (Mac OS X 10.6). In #1 someone migrated from OS X 10.9, but didn't transfer the Kerberos passwords.

@mkuron
Copy link
Member

mkuron commented Dec 17, 2018

Also, hprop runs on your Linux server. In our script it takes an MIT dump, but it can certainly accept a Heimdal dump if you find out how to get one from macOS server.

@potatogim
Copy link
Author

potatogim commented Dec 18, 2018
edited
Loading

@mkuron: Thanks for your help!

As you said, I tried to found hprop to dump Heimdal database but cannot found it...

Another question, Can I migrate NTLM password with od2samba4?

AFAIK, unicodePwd attr has a NTLM hash and when we extract hash from kerberos database, it seems to be extracted also.

but due to my lack of knownledge, I'm not quite sure it.

@Jeija
Copy link
Member

Jeija commented Dec 18, 2018

Yes, od2samba4 will also import NTLM hashes into the unicodePwd attribute, see https://github.com/physcip/od2samba4/blob/master/convert_hashes.py#L89. If you want to import only unicode hashes, you are going to have to change the convert_hashes.py script, remove all other hashes and adapt supportedEncryptionTypes accordingly. To be honest, I'm not really sure what the implications of that would be. Basic authentication will almost certainly work fine if you're just importing NTLM hashes, but maybe some other functionality won't, I haven't checked.

You cannot set the unicodePwd remotely over LDAP, you are going to have to import an LDIF file using ldbmodify infile.ldif -H /var/lib/samba/private/sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 on the Samba server (this directly modifies the database). Make sure to provide --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0, this flag enables modification of the unicodePwd attribute. If you try to set unicodePwd remotely over LDAP, Samba4 is just going to interpret the new value as plaintext password and hash it.

@jpiel
Copy link

jpiel commented Jan 14, 2020

Did someone find a way to dump the kerberos database with OSX using heimdal ?
I am trying to do it on a 10.8 Server and i can't find a way to dump the database.

@MatthiasKuehneEllerhold
Copy link
Contributor

MatthiasKuehneEllerhold commented Jan 26, 2021
edited
Loading

We were struggling with this for a while now and we think we found a solution!

On your OD-Server go into the Server app. On the left under Advanced -> Open Directory there should be "Server". Below that is a cog-icon where you can archive the whole OD server. Click it and give it a strong password.

After the export is done, mount the .sparseimage (use the PW you just entered) and look into the "authdata.ldif" file.
These are all your users with their password hashes. Look at theuid and the cmusaslsecretSMBNT fields.

Whip up a script that aggregates them into a user-hashes.json like this:

{
  "Value from <uid>": {
    "type23": "Value from <cmusaslsecretSMBNT>",
    "flags": 512
  },
  ... (repeat for each user)
}

Go through this list manually and set the flags to 514 for every deactivated user. We didnt find any attribute that encoded the deactivated status in OD correctly.

Continue the migration with step convert-hashes.py.

This will migrate the NTLM hashes only (!). Test thoroughly if this is sufficient for you. It was enough for samba to grant SMB access to Mac Clients and enough for Winbind to grant SSH access to debian domain members.

You could order a "User has to change passwords next time they log in" on every user to make sure that all other hashes are generated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Jeija @mkuron @potatogim @jpiel @MatthiasKuehneEllerhold