Samba4 objectSid, and Samba 3 migration.

William E Jojo w.jojo at hvcc.edu
Sat Jun 4 05:48:27 MDT 2011



Sent from my iPad

On Jun 4, 2011, at 5:59, "Stefan (metze) Metzmacher" <metze at samba.org> wrote:

> Hi Bill,
> 
>> I'm preparing several patches for myldap-pub.py.
>> 
>> In particular, I'm working on the sambaSID_to_objectSid function which doesn't seem to encode the SID properly - it remains a string, but the provisioned administrator user is definitely base64 encoded binary.
>> 
>> I looked at the http://freeipa.org/page/Samba_4_SID_Allocation_using_DNA_Plugin
>> stuff, but the identifier authority is greater than 6 bytes and the subauthorities look greater than 4 since the binary SID value is 48 bytes, if I did my base64 decoding properly.
>> 
>> My questions are:
>> 
>> 1) What is the identifier authority size?
>> 2) What is the subauthority size?
>> 3) Is this stored in little endian?
>> 4) Is there C/Python code that could lead me in the right direction?
>> 
> 
> The ldbadd does this for you.
> 
>> Finally, if the objectSid is encoded properly and the unicodePwd is stored as the base64 NT hash, there only seems to be an issue with the Kerberos pre-init when using users from Samba3 imported into Samba4 using something like:
>> 
>> ldbadd -H ldap://localhost -x --nosync --verbose --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 ~/test.ldif
>> 
>> Or should the above be modified?
>> 
>> It seems to me that there may be an issue on adding users (as above) with ldbadd (because I could NOT login to Windows 7) since the following are missing:
>> 
>> nTSecurityDescriptor
> 
> are you really sure this is missing in the resulting db?

Is the ldbadd above correct?

> 
>> supplementalCredentials
> 
> That's not created as we don't have the plaintext password to
> generate the kerberos and digest hashes.
> 
>> replPropertyMetaData
> 
> are you really sure this is missing in the resulting db?
> 
>> However, when I tried creating a user from Windows 7, joined to Samba4 using the Active Directory Users and Computers, I then did a ldbmodify with the unicodePwd from myldap-pub.py and IT WORKED! I could login to Windows 7! But my RID was not the one from Samba3. Our domain SID was perfect from the provision script.
> 
> Could it be that the password is just expired in the ldif you're using.

Shouldn't be since it's from my live site.


> 
> It should work without such hacks.

I will go back and try again and report back my success/failure.

> 
> metze
> 


More information about the samba-technical mailing list