[Samba] Replacement pdc samba3 to samba4 nt classic
Gavrilov Aleksey
gavrilov at info74.ru
Wed Oct 12 04:58:14 UTC 2016
On 11.10.2016 17:22, Harry Jede via samba wrote:
> Am Dienstag, 11. Oktober 2016 schrieben Sie:
>> On 11.10.2016 13:52, Harry Jede via samba wrote:
>>> On 10:43:49 wrote Gavrilov Aleksey via samba:
>>> Until now, you have destroyed your domain.
>>> Is the ldap directory on localhost in production or is this pc in a
>>> test lab?
>> a copy of the old server ldap
>>
>>>> How do I introduce a new PDC in a domain?
>>> Only *one* PDC per domain is allowed! But one may have dozens of
>>> BDCs and member servers. So, do you have a working PDC?
>> I do not have a working pdc now
>>
>>> Or should the new machine replace an old PDC?
>> yes,it's replacement
>>
>>> What ldap server are in use? Which version?
>> slapd/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
>>
>>
>> file system is damaged on the old server
>> I was able to restore some files
>> have backups for the old server
>>
>> I'm trying to make a change of PDC
> OK, let us try to restore.
>
> You may post the following in a private mail.
> Post the out of those commands to give us some infos:
>
> # the structure of your DIT
> # ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru hasSubordinates=TRUE dn
root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b
ou=arkhangelsk,dc=rugion,dc=ru hasSubordinates=TRUE dn
dn: ou=arkhangelsk,dc=rugion,dc=ru
dn: ou=users,ou=arkhangelsk,dc=rugion,dc=ru
dn: ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
dn: ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
dn: ou=users.deleted,ou=arkhangelsk,dc=rugion,dc=ru
> # the registered domains
> # ldapsearch -xLLL -H ldapi:/// '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName sambaSID
root at pdc:~# ldapsearch -xLLL -H ldapi:///
'(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName sambaSID
No such object (32)
root at pdc:~# ldapsearch -xLLL -H ldapi:///
'(objectclass=sambasamaccount)' -b ou=arkhangelsk,dc=rugion,dc=ru
sambaacctflags sambaSID
dn: uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaAcctFlags: [U ]
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-500
dn: uid=admin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1001
sambaAcctFlags: [U ]
dn: uid=udina,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1110
sambaAcctFlags: [U ]
dn: uid=bakova,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1007
sambaAcctFlags: [U ]
dn: uid=nobody,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaAcctFlags: [NUD ]
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-501
dn: uid=semakov,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1020
sambaAcctFlags: [U ]
dn: uid=voronin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1129
sambaAcctFlags: [U ]
dn: uid=chirkova,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1062
sambaAcctFlags: [U ]
...
>
> # the machines and or trust accounts
> # ldapsearch -xLLL -H ldapi:/// '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID
root at pdc:~# ldapsearch -xLLL -H ldapi:///
'(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID
No such object (32)
root at pdc:~# ldapsearch -xLLL -H ldapi:///
'(&(cn=*$)(objectclass=sambasamaccount))' -b
ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID
dn: uid=pdc$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1015
sambaAcctFlags: [S ]
dn: uid=wolf$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1025
sambaAcctFlags: [W ]
dn: uid=29get$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1086
sambaAcctFlags: [W ]
...
> # ls -l /var/lib/samba/
root at pdc:~# ls -l /var/lib/samba/
total 1832
-rw------- 1 root root 421888 Oct 7 16:02 account_policy.tdb
-rw------- 1 root root 696 Oct 6 11:24 group_mapping.tdb
drwxr-xr-x 10 root root 4096 Oct 6 11:24 printers
drwxr-xr-x 3 root root 4096 Oct 7 11:10 private
-rw------- 1 root root 528384 Oct 6 11:24 registry.tdb
-rw------- 1 root root 421888 Oct 6 11:24 share_info.tdb
drwxrwx--T 2 root sambashare 4096 Oct 6 11:24 usershares
-rw------- 1 root root 32768 Oct 11 11:19 winbindd_cache.tdb
-rw-r--r-- 1 root root 421888 Oct 10 11:48 winbindd_idmap.tdb
drwxr-x--- 2 root root 4096 Oct 11 11:19 winbindd_privileged
-rw-r--r-- 1 root root 2496 Oct 12 07:45 wins.dat
-rw------- 1 root root 24576 Oct 12 07:39 wins.tdb
>
> # cat /etc/nsswitch.conf
root at pdc:~# cat /etc/nsswitch.conf
ethers: db files
group: compat ldap winbind
hosts: files dns
netgroup: nis
networks: files
passwd: compat ldap winbind
protocols: db files
rpc: db files
services: db files
shadow: compat
> # cat /etc/pam_ldap.conf |egrep -v '^#|^$'
root at pdc:~# cat /etc/pam_ldap.conf |egrep -v '^#|^$'
cat: /etc/pam_ldap.conf: No such file or directory
root at pdc:~# cat /etc/ldap.conf |egrep -v '^#|^$'
host 127.0.0.1
base ou=arkhangelsk,dc=rugion,dc=ru
ldap_version 3
port 389
scope one
timelimit 30
bind_policy soft
idle_timelimit 3600
pam_password md5
nss_base_passwd ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_base_group ou=groups,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_base_passwd ou=computers,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_base_shadow ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_connect_policy persist
nss_paged_results yes
pagesize 1000
>
> # ls -l /etc/pam_ldap.secret
root at pdc:~# ls -l /etc/pam_ldap.secret
ls: cannot access '/etc/pam_ldap.secret': No such file or directory
> # cat /etc/pam.d/common-account|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-account|egrep -v '^#|^$'
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
> # cat /etc/pam.d/common-auth|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-auth|egrep -v '^#|^$'
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
> # cat /etc/pam.d/common-password|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-password|egrep -v '^#|^$'
password requisite pam_cracklib.so
reject_username retry=3 minlen=18 difok=3 maxrepeat=2 minclass=4
lcredit=0 ucredit=2 dcredit=1 ocredit=1
password required pam_pwhistory.so
use_authtok enforce_for_root remember=5
password [success=2 default=ignore] pam_unix.so obscure
use_authtok try_first_pass sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so
use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
>
> # cat /etc/pam.d/common-session|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-session|egrep -v '^#|^$'
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
--
Sincerely, Gavrilov Aleksey
System Administrator
Ltd. "Hearst Shkulev Digital Rugion"
tel .: 8 (351) 729-94-90, ext. 345
mob. +7 999 581 7934
gavrilov at info74.ru
Chelyabinsk, st. Lesoparkovaya , 6, office 308
More information about the samba
mailing list