Samba4 objectSid, and Samba 3 migration.
William E Jojo
w.jojo at hvcc.edu
Sat Jun 4 05:48:27 MDT 2011
Sent from my iPad
On Jun 4, 2011, at 5:59, "Stefan (metze) Metzmacher" <metze at samba.org> wrote:
> Hi Bill,
>
>> I'm preparing several patches for myldap-pub.py.
>>
>> In particular, I'm working on the sambaSID_to_objectSid function which doesn't seem to encode the SID properly - it remains a string, but the provisioned administrator user is definitely base64 encoded binary.
>>
>> I looked at the http://freeipa.org/page/Samba_4_SID_Allocation_using_DNA_Plugin
>> stuff, but the identifier authority is greater than 6 bytes and the subauthorities look greater than 4 since the binary SID value is 48 bytes, if I did my base64 decoding properly.
>>
>> My questions are:
>>
>> 1) What is the identifier authority size?
>> 2) What is the subauthority size?
>> 3) Is this stored in little endian?
>> 4) Is there C/Python code that could lead me in the right direction?
>>
>
> The ldbadd does this for you.
>
>> Finally, if the objectSid is encoded properly and the unicodePwd is stored as the base64 NT hash, there only seems to be an issue with the Kerberos pre-init when using users from Samba3 imported into Samba4 using something like:
>>
>> ldbadd -H ldap://localhost -x --nosync --verbose --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 ~/test.ldif
>>
>> Or should the above be modified?
>>
>> It seems to me that there may be an issue on adding users (as above) with ldbadd (because I could NOT login to Windows 7) since the following are missing:
>>
>> nTSecurityDescriptor
>
> are you really sure this is missing in the resulting db?
Is the ldbadd above correct?
>
>> supplementalCredentials
>
> That's not created as we don't have the plaintext password to
> generate the kerberos and digest hashes.
>
>> replPropertyMetaData
>
> are you really sure this is missing in the resulting db?
>
>> However, when I tried creating a user from Windows 7, joined to Samba4 using the Active Directory Users and Computers, I then did a ldbmodify with the unicodePwd from myldap-pub.py and IT WORKED! I could login to Windows 7! But my RID was not the one from Samba3. Our domain SID was perfect from the provision script.
>
> Could it be that the password is just expired in the ldif you're using.
Shouldn't be since it's from my live site.
>
> It should work without such hacks.
I will go back and try again and report back my success/failure.
>
> metze
>
More information about the samba-technical
mailing list