Samba4 objectSid, and Samba 3 migration.

William E Jojo w.jojo at hvcc.edu
Fri Jun 3 12:00:13 MDT 2011



Hello all, 

I'm preparing several patches for myldap-pub.py.

In particular, I'm working on the sambaSID_to_objectSid function which doesn't seem to encode the SID properly - it remains a string, but the provisioned administrator user is definitely base64 encoded binary.

I looked at the http://freeipa.org/page/Samba_4_SID_Allocation_using_DNA_Plugin
stuff, but the identifier authority is greater than 6 bytes and the subauthorities look greater than 4 since the binary SID value is 48 bytes, if I did my base64 decoding properly.

My questions are:

1) What is the identifier authority size?
2) What is the subauthority size?
3) Is this stored in little endian?
4) Is there C/Python code that could lead me in the right direction?


Finally, if the objectSid is encoded properly and the unicodePwd is stored as the base64 NT hash, there only seems to be an issue with the Kerberos pre-init when using users from Samba3 imported into Samba4 using something like:

ldbadd -H ldap://localhost -x --nosync --verbose --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 ~/test.ldif

Or should the above be modified?

It seems to me that there may be an issue on adding users (as above) with ldbadd (because I could NOT login to Windows 7) since the following are missing:

nTSecurityDescriptor
supplementalCredentials
replPropertyMetaData


However, when I tried creating a user from Windows 7, joined to Samba4 using the Active Directory Users and Computers, I then did a ldbmodify with the unicodePwd from myldap-pub.py and IT WORKED! I could login to Windows 7! But my RID was not the one from Samba3. Our domain SID was perfect from the provision script.

I feel I am very close to being able to create the users in Samba4 that I have in Samba3 either by importing the LDIF from myldap-pub.py with some modifications or, at the very least, create the users in Samba 4 and then run ldbmodifies to change the base64 encoded password and SID.

Then I would have my user SAM migrated enough to survive not having to change permissions and ownership on MILLIONS of files spread across several NetApp devices and a Samba3 server.


What do you think? What pieces am I missing or not understanding?


Cheers,
Bill


More information about the samba-technical mailing list