LDAP-SAM and Samba 2.2

Erik Persson erik at roxen.com
Mon Dec 3 10:05:15 GMT 2001 

On Sat, 1 Dec 2001, Erik Persson wrote:

> On Fri, 30 Nov 2001, David Highley wrote:
>
> > "Erik Persson wrote:"
> > >
> > > Hi!
> > >
> > > I am experimenting with the PDC features of Samba 2.2 with the LDAP SAM
> > > backend. This is going fairly well, except eny attempt to join the domain
> > > fails due to some confusion within smbd concerning what the RID for the
> > > workstation account should be.
> >
> > There was a posting in the last couple of days that indicated that
> > cvs patches were needed to get Samba 2.2.2 to operate with LDAP.

Now I'm starting to get desperate. If there is anybody out there who has
any clue on what might be wrong, please let me know.

So now I have fetched the SAMBA_2_2 branch from cvs (the LDAP parts in 3.0
won't compile) and have still no luck getting a client to join the domain.

As far as I can see, this happens:

* Client requests to join domain and supplies root login and password

* Samba creates initial machine account data with my script. The script
  creates an account with basic sambaAccoun, posixAccount and
  shadowAccount properties so that the user also instantly created in the
  Unix context.

* Samba adds lmPassword, ntPassword, rid, primaryGroupID and more in LDAP.
  rid and primaryGroupID values seem to be correctly calculated
  (15000/15001 for a uidNumber/gidNumber of 7000/7000).

* By now, I cannot make out anything definitive from the log (debuglevel
  3), but the client thinks at last that it has joined the domain.

Observations:

* The lmPassword and ntPassword LDAP attributes contain suspicious data
  after the join operation. If the initial passwords for "roadrunner$" was
  DC12FFA682C3844D2E87078C29EC8618:63911FAC3D75FECB66C48A17A30C5F9D, samba
  changes them to
  0029170800000000002E1E388B7B9D9B:0000000100000002002DF49000000000 during
  the join operation. What's with all the zeroes?

* If i don't set acctFlags within the "add user script" script to
  [W          ], samba will set acctFlags to [DW         ]. Is this a good
  thing or a bad thing.

* I use PADL nss_ldap and pam_ldap to import LDAP users and groups to the
  operating system. The operating system in question i Solaris 8.

Questions:

* How is the password generated that is used to generate the final lm/nt
  hashes for the machine account? Where in the Samba code does this
  happen?

* What value for "debug level" should I use to get information that might
  lead me to a solution?

Any thoughts will be greatly appreciated,
/Erik

-- 
Erik Persson, System Manager            <erik at roxen.com>
Roxen Internet Software                 Voice:  +46 13 376817

More information about the samba-ntdom mailing list