[Samba] Re: Machine accounts by migrating from smbpasswd to ldapsam

Tomas Lohr lohr at moser-glass.com
Mon Nov 8 13:24:10 GMT 2004 

Hi,

after a few days I found the solution. The problem was in bad SID 
numbers.

The Machine Account in the /etc/smbpasswd
 
vs3$:501:F74786067472.....3E527018D189760:382721F51C7C.....C9C1E9A81BB
145:[W           ]:LCT-416E659B:

has to be transformed into LDAP directory with the same number:

sambaSID=S-1-5-21-1065381148-2072401369-4150041673-501
uidNumber=501

Similar with SID-numbers by User Accounts:

rid='2*uidNumber+sambaAlgorithmicRidBase' 

sambaSID and uidNumber must be changed according to this formula.


T. Lohr


On 1 Nov 2004 at 12:15, samba at lists.samba.org wrote:

> Hi all,
> 
> I'm wondering what about machine accounts (WinXP) by migrating from
> Samba 2.2.8 with authentication backend /etc/smbpasswd to Samba 3.0.4
> with ldapsam.
> 
> Is it possible just to take NT hash from smbpasswd and paste it to
> ldap record as sambaNTPassword?
> 
> I'm not able to login from machine vs3 to new domain. My 
> configuration files and log files follow. The Samba-SID is the same on
> the old server and on the new server.
> 
> How to transport machine accounts from the old backend to the new
> without reconnecting machines to the new domain? Do you know where is
> the problem?
> 
> Thanx for your help
> Tomas Lohr
> 
> 
> 
> The record from /etc/smbpasswd looks like:
> 
> vs3$:501:F74786067472.....3E527018D189760:382721F51C7C.....C9C1E9A81B5
> B145:[W           ]:LCT-416E659B:
> 
> The specific record from ldap looks like:
> 
> hp3:/ # ldapsearch -x -D "cn=Manager,dc=moser-glass,dc=com" -W  -b
> 'dc=moser-glass,dc=com' 'cn=vs3$'
> 
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=moser-glass,dc=com> with scope sub
> # filter: cn=vs3$
> # requesting: ALL
> #
> 
> # VS3$, Computers, moser-glass.com
> dn: uid=VS3$,ou=Computers,dc=moser-glass,dc=com
> gidNumber: 513
> homeDirectory: /dev/null
> loginShell: /bin/false
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: sambaSamAccount
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 0
> sambaSID: S-1-5-21-1065381148-2072401369-4150041673-3180
> sambaPrimaryGroupSID: S-1-5-21-1065381148-2072401369-4150041673-553
> uidNumber: 501 sambaAcctFlags: [W           ] cn: vs3$ sn: vs3$ uid:
> vs3$ description: Computer VS3 sambaNTPassword:
> 382721F51C7C.....C9C1E9A81B5B145 sambaLMPassword:
> F74786067472.....3E527018D189760
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> 
> The samba log /var/log/samba/log.vs3 writes:
> 
> [2004/10/29 18:09:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
>   init_sam_from_ldap: Entry found for user: vs3$
> [2004/10/29 18:09:47, 0] rpc_server/srv_netlog_nt.c:get_md4pw(218)
>   get_md4pw: Workstation VS3$: no account in domain
> [2004/10/29 18:09:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
>   init_sam_from_ldap: Entry found for user: vs3$
> [2004/10/29 18:09:47, 0] rpc_server/srv_netlog_nt.c:get_md4pw(218)
>   get_md4pw: Workstation VS3$: no account in domain
> [2004/10/29 18:09:58, 2] smbd/server.c:exit_server(568)
>   Closing connections
> 
> 
> Important part of new /etc/samba/smb.conf:
> 
> [global]
>         server string = hp3
>         netbios name = HP3
>         workgroup = MOSERAS
>         domain master = Yes
>         preferred master = Yes
>         domain logons = Yes
>         dos charset = 852
>         unix charset = ISO-8859-2
>         os level = 99
> 
>         time server = Yes
>         wins support = yes
>         name resolve order = wins lmhosts bcast host
>         max log size = 1000
>         log file = /var/log/samba/log.%m
>         log level = 2
>         syslog = 0
>         lanman auth = Yes
>         map acl inherit = Yes
>         null passwords = No
>         interfaces = eth0
>         encrypt passwords = true
>         winbind use default domain = Yes
>         passdb backend = ldapsam:ldap://localhost
>         min password length = 5
> 
>         ldap admin dn = "cn=Manager,dc=moser-glass,dc=com"
>         ldap delete dn = No
>         ldap suffix = dc=moser-glass,dc=com
>         ldap machine suffix = ou=Computers
>         ldap group suffix = ou=Groups
>         ldap user suffix = ou=People
>         ldap passwd sync = Yes
>         ldap idmap suffix = ou=Idmap
>         pam password change = No
>         idmap gid = 10000-20000
>         idmap uid = 10000-20000
> 
> 
>

More information about the samba mailing list