Samba4 objectSid, and Samba 3 migration.

Stefan (metze) Metzmacher metze at samba.org
Sat Jun 4 03:57:30 MDT 2011


Hi Bill,

> I'm preparing several patches for myldap-pub.py.
> 
> In particular, I'm working on the sambaSID_to_objectSid function which doesn't seem to encode the SID properly - it remains a string, but the provisioned administrator user is definitely base64 encoded binary.
> 
> I looked at the http://freeipa.org/page/Samba_4_SID_Allocation_using_DNA_Plugin
> stuff, but the identifier authority is greater than 6 bytes and the subauthorities look greater than 4 since the binary SID value is 48 bytes, if I did my base64 decoding properly.
> 
> My questions are:
> 
> 1) What is the identifier authority size?
> 2) What is the subauthority size?
> 3) Is this stored in little endian?
> 4) Is there C/Python code that could lead me in the right direction?
> 

The ldbadd does this for you.

> Finally, if the objectSid is encoded properly and the unicodePwd is stored as the base64 NT hash, there only seems to be an issue with the Kerberos pre-init when using users from Samba3 imported into Samba4 using something like:
> 
> ldbadd -H ldap://localhost -x --nosync --verbose --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 ~/test.ldif
> 
> Or should the above be modified?
> 
> It seems to me that there may be an issue on adding users (as above) with ldbadd (because I could NOT login to Windows 7) since the following are missing:
> 
> nTSecurityDescriptor

are you really sure this is missing in the resulting db?

> supplementalCredentials

That's not created as we don't have the plaintext password to
generate the kerberos and digest hashes.

> replPropertyMetaData

are you really sure this is missing in the resulting db?

> However, when I tried creating a user from Windows 7, joined to Samba4 using the Active Directory Users and Computers, I then did a ldbmodify with the unicodePwd from myldap-pub.py and IT WORKED! I could login to Windows 7! But my RID was not the one from Samba3. Our domain SID was perfect from the provision script.

Could it be that the password is just expired in the ldif you're using.

It should work without such hacks.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110604/015701fb/attachment.pgp>


More information about the samba-technical mailing list