[Samba] Issue providing seamless migrtion (3.0.24 to 3.5.6) - sambaNTPassword mystery
Nathan Mahu
nmahu at cyanide-studio.com
Fri May 6 09:02:39 MDT 2011
Thank you one more time for your help Louis ! But I still fail :-(
### FIRST ANSWER ###
Back to my first mail, the third step (ldif [3]), I was saying "adding
posixAccount object", but I added the "top" object too. That was the
idea : comparing a working ldiff with others and manual tweak of each
fields.
Concerning the "getent passwd", I see every account that have a
"posixAccount" object filled. It works for both automatic & manual add
of the posixAccount part. More precisely, when it misses "posixAccount",
logs tell me about it, when I add it manually (ldif process), it finds
the Unix account.
About "displayName: THORIN$", it is filled when I manually joined the
domain to create the working LDIF. I have tried 2 or 3 times to add it,
but honestly, I think a "displayName" is only a superficial stuff...
Moreover, with a thorin$ account WITHOUT displayName, in samba logs
requests to ldap are made with "THORIN$" and acknowledges with "thorin$
found". It uses cn field, I really don't think displayName is important.
"The [2] ldif looks like a user account". I don't get what makes you
think that. However, users account and machine accounts are really close
in samba. Cn names have a $ for computers, and each time (for [1]to
[3]), it is dn:
uid=thorin$,ou=Computers,dc=domain,dc=com", meaning it is in the right
OU. Accounts added by smbldap-tools go in the right OU according to if
it is a machine or user account.
Finally, "smbldap-useradd -wi machine_account$" makes fails with the
following log : "WORKSTATION secure channel requested but not a
workstation trust account" [...] "failed to get machine password for
account THORIN$ : NT_STATUS_NO_TRUST_SAM_ACCOUNT". Important about this
: LDIF presents flags as [UX] and not the old good machine flag [W]...
I'm not sure trust account stuff is for simple workstation but honestly,
I haven't read much about it.
Le 06/05/2011 09:28, L.P.H. van Belle a écrit :
> Hi,
>
> compair the working computer ldiff and the not working ldiff.
> the import ldiff is missing
> [2]
>>>>> objectClass: top
> i dont know if its needed, but you can try it.
>
> if you do getent passwd on the new samba server, does it display your
> new computer account.
> Also, i see.
> in [1]
> displayName: THORIN$
>>>>> uidNumber: 1004
>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
> and [2]
> displayName: thorin$
>>>>> uidNumber: 1002
>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>> sambaLogonTime: 0
>>>>> sambaLogoffTime: 2147483647
>>>>> sambaKickoffTime: 2147483647
>>>>> sambaPwdCanChange: 0
>>>>> sambaPwdMustChange: 2147483647
>>>>> sambaPwdLastSet: 1304078541
> make sure its how you computer name (displayName) is caps and no caps.
> i'm trying to narrowing down the options here..
> Also the computer [2] looks like a new created user, not a computer.
>
> is the new computer in the correct OU?
> smbldap-useradd --help | grep unit
> -o add the user in the organizational unit (relative to the user
> suffix. Ex: 'ou=admin,ou=all')
> ( see user as computer )
>
> also can you try
> smbldap-useradd -wi machine_account$
> and report back te results.
>
>
> Louis
>
>
>
Le 06/05/2011 09:32, L.P.H. van Belle a écrit :
> and i found this.
>
> "When migrating an existing machine account, you also have to invoke
> smbldap-useradd -a computername$ after creating the account in order to
> allow storing of encrypted password into the sambaNTPassword entry."
>
> Louis
### SECOND ANSWER ###
I think it is very like using "smbldap-useradd -W thorin$"... However I
have made some try to create account in two steps, after importing
machine account, either after creating it manually with only -w, etc...
Always fails with the "credential checks" wrong.
Moreover, I found this :
http://www.mail-archive.com/linux-390@vm.marist.edu/msg30492.html
It seems it is possible to enters fields missing (sambaNTPassword) with
simple ldif and make it work. I tried 3 or 4 time with different
approaches (imports machine account, manual create, etc..). SAME ERROR.
I really dont get it. And it really misses some documentation on low
level functionnalities to create some little hacks to be able to proceed
a smealess migration.
>> -----Oorspronkelijk bericht-----
>> Van: Nathan Mahu [mailto:nmahu at cyanide-studio.com]
>> Verzonden: 2011-05-05 18:22
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Issue providing seamless migrtion
>> (3.0.24 to 3.5.6) - sambaNTPassword mystery
>>
>> Sum up : still not work.
>>
>> Thank you for your attention Louis.
>>
>> "After updating the LDAP schema, do not forget to re-index the LDAP
>> database." - Some Samba-guide
>>
>> 1. My schema is up to date since my old PDC wasn't using LDAP (but
>> mysql), the new PDC gave its OpenLDAP a fresh schema (3.5.6).
>>
>> 2. However, I've tried reindexing after changes made through
>> raw LDIF. I
>> think indexes are just made to speed up search in LDAP, but I am so
>> despair that I tested.
>> I remade the third procedure described in my original mail :
>> after each
>> modification made through ldif, I have reindexed everything
>> (slapd stop
>> - slapindex -slapd start). Nothing new : "credential fail".
>> By the way, I have never seen any site saying "after an ldif
>> modification, run slapindex".
>>
>> Le 05/05/2011 14:38, L.P.H. van Belle a écrit :
>>> Dit you update your samba.schema in ldap and did you reindex
>> you ldap database ?
>>> Greetz,
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: nmahu at cyanide-studio.com
>>>> [mailto:samba-bounces at lists.samba.org] Namens Nathan Mahu
>>>> Verzonden: 2011-05-05 14:32
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Issue providing seamless migrtion
>>>> (3.0.24 to 3.5.6) - sambaNTPassword mystery
>>>>
>>>> Still no idea ?
>>>> Anyone knows about sambaNTPasword ?
>>>> No one have ever experienced issues doing a seamless migration ?
>>>>
>>>>
>>>> Le 02/05/2011 11:50, Nathan Mahu a écrit :
>>>>> Hello everyone,
>>>>>
>>>>> I am operating a migration of samba from 3.0.24 (mysql
>>>> passdb backend)
>>>>> to 3.5.6 (openldap passdb), samba working as a domain
>>>> controller (PDC)
>>>>> and file share. The main challenge is to provide a seamless
>>>> migration
>>>>> for users.
>>>>> For this new version, I am using smbldap-tools 0.9.6, nss_ldap,
>>>>> openldap 2.4. Everything run on FreeBSD 8.2.
>>>>>
>>>>> To get used to samba, I have managed to make samba 3.5
>> work as a new
>>>>> domain, computers joining it, etc... But since I want a seamless
>>>>> migration, I now try to provide enough information to samba 3.5 to
>>>>> auth users like the old version.
>>>>>
>>>>> Currently, I can't achieve to have machine accounts which can be on
>>>>> the new domain with the samba root login, without joining
>> the domain
>>>>> through windows manual procedure.
>>>>> The new domain have the same "netbios name", "workgroup",
>>>> domain SID,
>>>>> local SID. And now the challenge is to fill accounts (users
>>>> but first
>>>>> workstation/machine) in ldap.
>>>>> I have copy and paste every *.tdb file from the old samba to
>>>> the new :
>>>>> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+
>>>> smbpasswd file).
>>>>> Moreover, to test everything, I have a computer which have a
>>>> ethernet
>>>>> interface toward the old working samba, and another one
>>>> toward the new
>>>>> domain. When I try to switch from the old to the new samba,
>>>> I shutdown
>>>>> the right interface, unlog and try to log with the root
>> login of the
>>>>> new samba (I always wait few minutes in order to have the new pdc
>>>>> "recognized").
>>>>> As I read that someone is able to upgrade his samba seamlessly by
>>>>> shutting down computers& samba (old& new), then starting
>> new samba
>>>>> then computers, I have tried each time this procedure. However, I
>>>>> don't believe it is the problem : logs are the same if do the
>>>>> "shutdown/start" procedure or the simple "unlog/log" procedure.
>>>>>
>>>>> I put at the end of this mail ldap entries for each step made. So
>>>>> first, is the reference of a working machine account (achieved by
>>>>> joining manually the "new" domain) [1].
>>>>>
>>>>> Here are steps I have made:
>>>>>
>>>>> 1. I'm adding machine account using:
>>>>>
>>>>> #smbldap-useradd -W machine_account$
>>>>>
>>>>> Then I provide my machine account the same SID in ldap using:
>>>>>
>>>>> #pdbedit machine_account$ -U
>>>>> S-1-5-21-720590779-4203916555-4014520812-11343
>>>>>
>>>>> The result is [2], and I can't log with it. Logs tell me something
>>>>> like "Workstation machine_account$ doesn't have a
>>>> password"... Indeed,
>>>>> no sambaNTPassword here !
>>>>>
>>>>> 2. I want to manually provide sambaNTPassword. Here, no
>>>> samba command
>>>>> (pdbedit, smpasswd) provides me a way to do it, the only
>> way I found
>>>>> is to adding it directly into LDAP (ldapadd or mod,...) [3].
>>>>>
>>>>> As we could pedict, it doesn't work (log as root). Since
>>>>> "sambaNTPassword" comes during the manual join procedure,
>> it must be
>>>>> some kind of exchange between the workstation and the PDC.
>>>>>
>>>>> 3. The second idea is to import the old passdb backend into the new
>>>>> (ldap) using:
>>>>>
>>>>> #pdbedit -e tdbsam:export.tdb
>>>>> on the old PDC, and then on the new PDC:
>>>>>
>>>>> #pdbedit -i tdbsam:export.tdb
>>>>>
>>>>> Everything works fine for import/export, giving me [4].
>>>> Trying to log
>>>>> in with this fails : "Failed to find UNIX account for
>> thorin$". If I
>>>>> add manually fields needed for a UNIX account (objectClass:
>>>>> posixAccount, etc...), it fails on a "credentials check
>> fails" (same
>>>>> as step 1 when sambaNTPassword were missing).
>>>>>
>>>>> CONCLUSION:
>>>>> In my opinion, it appears that sambaNTPassword is needed for
>>>>> workstation authentification and can be provided only by
>> joining the
>>>>> domain manually (Computer -> Manage -> etc...).
>>>>>
>>>>> Ideas are seriously running out, I find very few stuff about
>>>>> sambaNTPassword and particularly about when (during the joining
>>>>> process ?), where (is it stored on workstation ? in a samba file ?
>>>>> only in the passdb backend ?) and why (security reasons I guess,
>>>>> avoiding name spoofing etc...? Not a crucial question).
>>>>> Any help would be welcome !
>>>>>
>>>>>
>>>>> REFERENCES LDAP ENTRIES:
>>>>>
>>>>> [1] Working machine account:
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>> objectClass: top
>>>>> objectClass: account
>>>>> objectClass: posixAccount
>>>>> objectClass: sambaSamAccount
>>>>> cn: thorin$
>>>>> uid: thorin$
>>>>> uidNumber: 1004
>>>>> gidNumber: 515
>>>>> homeDirectory: /dev/null
>>>>> loginShell: /bin/false
>>>>> description: Computer
>>>>> gecos: Computer
>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
>>>>> displayName: THORIN$
>>>>> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
>>>>> sambaPwdLastSet: 1304080571
>>>>> sambaAcctFlags: [W ]
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> [2] Machine account from command #smbldap-useradd -W, with a
>>>> corrected
>>>>> SID:
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>> cn: thorin$
>>>>> uid: thorin$
>>>>> uidNumber: 1002
>>>>> gidNumber: 515
>>>>> homeDirectory: /dev/null
>>>>> loginShell: /bin/false
>>>>> description: Computer
>>>>> gecos: Computer
>>>>> objectClass: posixAccount
>>>>> objectClass: account
>>>>> objectClass: sambaSamAccount
>>>>> sambaLogonTime: 0
>>>>> sambaLogoffTime: 2147483647
>>>>> sambaKickoffTime: 2147483647
>>>>> sambaPwdCanChange: 0
>>>>> sambaPwdMustChange: 2147483647
>>>>> sambaPwdLastSet: 1304078541
>>>>> sambaAcctFlags: [W ]
>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
>>>>> displayName: thorin$
>>>>> sambaDomainName: DOMAIN
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> [3] Same as above with a sambaNTPassword field entered
>> through LDIF:
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> // same as above
>>>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> [4] Entry from import:
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>> uid: thorin$
>>>>>
>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>> sambaLogonScript: netlogon.bat
>>>>> sambaLogonTime: 0
>>>>> sambaLogoffTime: 0
>>>>> sambaKickoffTime: 0
>>>>> sambaPwdCanChange: 1303228739
>>>>> sambaPwdMustChange: 2147483647
>>>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>>>> sambaPasswordHistory:
>>>>> 0000000000000000000000000000000000000000000000000000000000000000
>>>>> sambaPwdLastSet: 1303228739
>>>>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>>> sambaAcctFlags: [W ]
>>>>> sambaBadPasswordCount: 0
>>>>> sambaBadPasswordTime: 0
>>>>>
>>>>> objectClass: sambaSamAccount
>>>>> objectClass: account
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>
More information about the samba
mailing list