[Samba] [PATCH] Re: Changing administrator password after Samba4 classic upgrade

Andrew Bartlett abartlet at samba.org
Fri Dec 21 18:55:10 MST 2012 

On Thu, 2012-12-20 at 22:55 +1300, Mario Codeniera wrote:
> I used to upgrade samba3 to samba4 with almost successful with one problem,
> administrator can't access. As administrator, by default it is the only
> user account that is given full control over the system.
> 
> My query is how to change the administrator password? we have one account
> which can join to the samba 4 AD based on the migrated data but the problem
> can't change the administrator or can't alter the domain.

> After that re-run the classic upgrade, and found out that the administrator
> SID was wrong and modified to xxx-500 where xxx domain SID and modified
> group Administrators because there are other domain SIDs.
> 
> *- (remove the description, displaying only the last part)
> -
> Importing idmap database
> Importing groups
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
> groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
> groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
> groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
> Group already exists sid=S-1-5-32-544, groupname=Administrators
> existing_groupname=Administrators, Ignoring.
> Group already exists sid=S-1-5-32-545, groupname=Users
> existing_groupname=Users, Ignoring.
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
> groupname=Domain Users existing_groupname=Domain Users, Ignoring.
> Importing users
> User 'Administrator' in your existing directory has SID
> S-1-5-21-1511653421-423844657-761698953-20001, expected it to be
> S-1-5-21-1511653421-423844657-761698953-500
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: User 'Administrator' in your existing directory does not
> have SID ending in -500
>   File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 1318, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 889, in upgrade_from_samba3
>     raise ProvisioningError("User 'Administrator' in your existing
> directory does not have SID ending in -500")*
> 
> 
> Finally got this with no errors, but again the administrator can't login
> even using the kinit. As mentioned above I used to login other user in
> Windows 7 and run the Windows Remote Administration Tools and able to check
> the data is successfully migrated including administrator (but the problem
> it was changed during upgrading) and I observed in the log see highlighted.
> And every time I run the samba-tool domain classicupgrade, the Admin
> password: (see other highlighted below) have different values (
> >0ngHrG~IIMHZ>DhNIP    YOU<AKoN~+wPZ!Am *  * SXJ96re1=zYO* *respectively).

This is interesting, as at one point we had logic to not show these
unused passwords. 

I've attached a patch that should do this, let me know if it makes the
output (which I agree is very, very verbose) clearer. 

> *
> [root at gaara ambot]# /usr/local/samba/bin/samba-tool domain classicupgrade
> --dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
> --dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
> /srv/smb.conf
> Reading smb.conf

What it should have said was 'using the existing admin password of user
root/administrator'.  So, try the old password, but if neither the old
password nor the generated one works, you can reset it using 'samba-tool
user setpassword administrator'

> Thank you, hope someone can give insights on it.

Thanks for your patience with this.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-samba-tool-classicupgrade-Do-not-print-the-admin-pas.patch
Type: text/x-patch
Size: 1744 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20121222/0957f5ff/attachment.bin>

More information about the samba mailing list