Importing data?

Jeffrey Hutzelman jhutz at cmu.edu
Thu Jan 12 17:41:25 EST 2006



On Thursday, January 12, 2006 01:42:54 PM +0100 Bjorn Tore Sund 
<bjornts at mi.uib.no> wrote:

> University of Bergen is setting up a unix/linux Kerberos realm to handle
> logons on our unix/linux clients and servers (about 1500).  Our problem
> is that all 30.000 users needs principals on the KDC, and we'd rather
> not have to run all of them through having to type their password
> somewhere.
>
> They're all in AD (and in NIS), can anyone advice as to a good path to
> duplicate data over, including passwords?  LDAP export and import and
> then using Heimdal's support for having an LDAP backend is the next
> thing I'll try - any better ideas out there?  Google gives me nothing
> which doesn't involve having to reenter all user passwords, but we
> can't be the first large setup to have this issue?

Well, the problem is that entries in NIS or in UNIX password files don't 
contain the password; they contain a one-way hash of the password.  Without 
some fairly time-expensive cryptographic attacks, you can't recover the 
actual password, which is needed to add keys to the Kerberos database.

When we first started using Kerberos many many years ago, we modified the 
login program so that when a user logged in who had no Kerberos prinicpal, 
he would be automatically registered.  Of course, this also required a 
special registration service and giving login some way to authenticate to 
it.

Since your users are in AD, you may have another option.  The Active 
Directory does know the users' actual passwords (except for any users who 
were imported from an NT4 domain and haven't changed their passwords 
since).  If you can extract the passwords from AD, you can build a tool 
which adds them to the Kerberos database.  However, I seem to recall that 
it is difficult-to-impossible to get AD to export password information. 
Perhaps someone who knows more on that topic will comment...

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA




More information about the Kerberos mailing list