New user passwords?
Charles Tryon
charles.tryon at gmail.com
Tue Oct 18 12:40:13 MDT 2011
On Sun, Oct 16, 2011 at 9:25 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sun, 2011-10-16 at 20:03 -0400, Charles Tryon wrote:
> > On Fri, Oct 14, 2011 at 5:41 PM, Andrew Bartlett <abartlet at samba.org>
> wrote:
> >
> > > On Fri, 2011-10-14 at 17:35 -0400, Charles Tryon wrote:
> > > > On Fri, Oct 14, 2011 at 5:27 PM, Andrew Bartlett <abartlet at samba.org
> >
> > > wrote:
> > > >
> > > > > On Fri, 2011-10-14 at 17:18 -0400, Charles Tryon wrote:
> > > > > > When using samba-tool to create new Samba4 users from the command
> > > line,
> > > > > is
> > > > > > there any way to:
> > > > > >
> > > > > > (1) specify the Unix userid (xidNumber) on the command line
> > > > > >
> > > > > > (2) specify the password using an existing password hash, for
> > > > > example,
> > > > > > from the output of "pdbedit -L -w" on an existing Samba3 box?
> > > > >
> > > > > If you wish to upgrade users from Samba3, see the 'samba-tool
> domain
> > > > > samba3upgrade' command.
> > > > >
> > > > > This python script also gives a good example about how you might
> > > perform
> > > > > other manual imports of users.
> > > > >
> > > > > Andrew Bartlett
> > > > >
> > > >
> > > >
> > > > Unfortunately, my old domain is based on a pretty old version of
> Samba
> > > > (3.0.9-2) and basically barfs the samba3upgrade script.
> > >
> > > What fails? I'm happy to make reasonable modifications to the script
> to
> > > have it import older databases. It runs (mostly) the same backend code
> > > that an upgrade to Samba 3.6 would trigger, so it should be pretty
> > > reasonable to fix these issues.
> > >
> >
> > I'll see if I can replicate the error and give you some more specifics.
> > This was a pretty old database, running on a very tweaked out Linux
> > install, which has already gone through a couple of migrations, and there
> > are likely Bad Things in it to cause the error, so it's altogether
> possible
> > that it's not the fault of the script.
> >
> > The Samba4 project has a very good HOWTO, which though there are
> sometimes
> > problems, I've noticed that people are working to keep it up to date, and
> > it's been HUGELY helpful getting Samba4 running. I'm wondering if there
> is
> > any sort of guide to the conversion process. There is some help in the
> > script itself, and sometimes you get an error message, but for someone
> who
> > hasn't been immersed in it's function, I feel pretty clueless. Any kind
> of
> > pointers would be helpful...
> >
> > What I have done is copy over the old /etc/samba (with the contained tdb
> > user databases) and /usr/lib/samba to the new Samba4 system. I've then
> run
> > the tool:
> >
> > <samba4:ctryon>? sudo /usr/local/samba/sbin/samba-tool domain
> samba3upgrade
> > --libdir /usr/lib/samba3 -d 256 /etc/samba3/smb.conf
>
> The tool runs best on the system with the old binaries also on it, as
> you can then run it like:
> sudo /usr/local/samba/sbin/samba-tool domain samba3upgrade -d
> 256 /etc/samba/smb.conf --testparm=/usr/bin/testparm
>
> That way, we get to know the compiled-in default paths that are not in
> your smb.conf. The --libdir option you used is also quite valid, and in
> that case all the tdb files must be in the pointed-at directory. In
> your specifc case you were missing secrets.tdb.
>
> Attached is a proposed fix which will make this clearer, if you could
> test it both with and without the secrets.tdb file. If successful I can
> put it into the tree to help the next person.
>
> A wiki page with an upgrade HOWTO is a very good idea, and I would
> welcome anyone who wishes to start on one, otherwise I'll try to get to
> it soon.
(Boy, it's been a few years since I've been able to do development work, so
I'm really blowing off some cobwebs here!!)
I was able to apply the patch, re-run the make and install scripts
The old system has so many low level mods and cross-dependencies that I
don't think there is any way to even attempt to build the Samba4 on the old
box. That's one reason I'm trying to get OFF of that platform!
QUESTION: I was assuming that the --libdir was pointing to the "lib"
directory, which in my case would be /usr/lib/samba3. However, the help
text seems to indicate that the "libdir" is where the database is located!
(ie., /etc/samba3)
As I said before, I copied from the old system to the new system:
/etc/samba -> /etc/samba3
/usr/lib/samba -> /usr/lib/samba3
<samba4:samba3>? ls -al
total 308
drwxr-xr-x 2 root root 4096 Oct 18 13:38 ./
drwxr-xr-x. 112 root root 12288 Oct 16 19:56 ../
-rw-r--r-- 1 root root 20 Nov 23 2004 lmhosts
-rw------- 1 root root 245760 Oct 6 17:32 passdb.tdb
-rw------- 1 root root 8192 Sep 27 2004 secrets.tdb
-rw-r--r-- 1 root root 8108 Sep 23 13:08 smb.conf
-rw------- 1 root root 18241 Nov 22 2006 smbpasswd
-rw-r--r-- 1 root root 5816 Jun 24 16:46 smbusermap
-rw-r--r-- 1 root root 97 Nov 23 2004 smbusers
---------------------- On the OLD system:
<adam:etc>? sudo testparm
Password:
Load smb config files from /etc/samba/smb.conf
Processing section "[app]"
Processing section "[arc]"
Processing section "[dat]"
Processing section "[cdrom]"
Processing section "[crmin-media]"
Processing section "[dept-crmin]"
Processing section "[dept-dev]"
Processing section "[dept-exec]"
Processing section "[dept-fin]"
Processing section "[dept-hsi]"
Processing section "[dept-india]"
Processing section "[dept-it]"
Processing section "[dept-membr]"
Processing section "[dept-ops]"
Processing section "[dept-pers]"
Processing section "[dept-recr]"
Processing section "[doc]"
Processing section "[omssdat]"
Processing section "[txt]"
Processing section "[homes]"
Processing section "[linux]"
Processing section "[netlogon]"
Processing section "[pdf]"
Processing section "[printers]"
Processing section "[profiles]"
Processing section "[publish]"
Processing section "[team]"
Processing section "[tmp]"
Processing section "[www]"
Processing section "[pcbackup]"
Processing section "[install]"
Processing section "[pc-info]"
Processing section "[sftp]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = OMUSA
netbios aliases = NTINSTALL
server string = ""
interfaces = 10.4.1.1/23
passdb backend = tdbsam
passwd program = /usr/local/sbin/sysadm-samba.pl --changepw=%u
passwd chat = *new*password* %n\n *changed*
username map = /etc/samba/smbusermap
password level = 1
unix password sync = Yes
log level = 1
smb ports = 139 445
read raw = No
name resolve order = wins bcast
time server = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192
SO_SNDBUF=8192
name cache timeout = 60
printcap name = /etc/printcap
add machine script = /usr/sbin/adduser -n -g machines -c Machine -d
/dev/null -s /bin/false %u
logon script = OMLOGON.CMD
logon path =
logon drive = N:
logon home = \\%L\%U
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
wins support = Yes
message command = bash -c 'cat %s | logger -t %f' &
printer admin = @dom_admin
read only = No
force create mode = 0660
directory mask = 02770
force directory mode = 02000
map acl inherit = Yes
min print space = 2048
printing = lprng
cups options = "raw"
print command = /usr/bin/lpr -P%p -Ccut.no_ff %s; rm %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
lppause command = lpc hold '%p' %j
lpresume command = lpc release '%p' %j
queuepause command = lpc stop '%p'
queueresume command = lpc start '%p'
veto files = lost+found/proc/dev
veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF
dos filetimes = Yes
dos filetime resolution = Yes
...
[homes]
comment = Your home directory
force create mode = 00
...
[netlogon]
comment = Domain logon service
path = /usr/local/samba/netlogon
write list = root, @dom_admin
read only = Yes
browseable = No
root preexec = sh -c 'date >> /usr/local/samba/netlogon/loglog//%u.log'
...
(Lots of individual shares snipped...)
<samba4:dev>? sudo /usr/local/samba/sbin/samba-tool domain samba3upgrade
--libdir /usr/lib/samba3 -d 256 /etc/samba3/smb.conf
[sudo] password for ctryon:
INFO: Current debug levels:
all: 256
tdb: 256
printdrivers: 256
lanman: 256
smb: 256
rpc_parse: 256
rpc_srv: 256
rpc_cli: 256
passdb: 256
sam: 256
auth: 256
winbind: 256
vfs: 256
idmap: 256
quota: 256
acls: 256
locking: 256
msdfs: 256
dmapi: 256
registry: 256
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
Reading smb.conf
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba3/smb.conf"
Processing section "[global]"
doing parameter wins support = yes
doing parameter dns proxy = yes
doing parameter message command = bash -c 'cat %s | logger -t %f' &
doing parameter name resolve order = wins bcast
doing parameter security = user
doing parameter time server = yes
doing parameter server string = ""
doing parameter interfaces = 10.4.1.1/23
doing parameter username map = /etc/samba/smbusermap
doing parameter printing = lprng
doing parameter load printers = yes
doing parameter printcap = /etc/printcap
doing parameter cups options = "raw"
doing parameter printer admin = @dom_admin
WARNING: The "printer admin" option is deprecated
doing parameter print command = /usr/bin/lpr -P%p -Ccut.no_ff %s; rm %s
doing parameter socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter read raw = no
doing parameter large readwrite = yes
doing parameter kernel oplocks = yes
doing parameter veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF
doing parameter smb ports = 139 445
doing parameter force create mode = 660
doing parameter directory mask = 2770
doing parameter force directory mode = 2000
doing parameter dos filetimes = yes
doing parameter min print space = 2048
doing parameter veto files = lost+found/proc/dev
doing parameter read only = no
doing parameter dos filetime resolution = yes
doing parameter passdb backend = tdbsam guest
doing parameter encrypt passwords = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/local/sbin/sysadm-samba.pl--changepw=%u
doing parameter passwd chat = *new*password* %n\n *changed*
doing parameter passdb backend = tdbsam
doing parameter add machine script = /usr/sbin/adduser -n -g machines -c
Machine -d /dev/null -s /bin/false %u
doing parameter logon drive = N:
doing parameter logon home = \\%L\%U
doing parameter logon path =
doing parameter netbios name = ADAM
doing parameter netbios aliases = NTINSTALL
doing parameter name cache timeout = 60
doing parameter workgroup = OMUSA
doing parameter dos charset = CP850
doing parameter debug level = 1
WARNING: The "null passwords" option is deprecated
WARNING: The "password level" option is deprecated
WARNING: The "share modes" option is deprecated
WARNING: The "share modes" option is deprecated
Provisioning
ERROR(<type 'exceptions.TypeError'>): uncaught exception - not enough
arguments for format string
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 135, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
629, in run
useeadb=eadb)
File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py", line
475, in upgrade_from_samba3
raise ProvisioningError("Could not open '%s', the Samba3 secrets
database: %s. Perhaps you specified the incorrect smb.conf, --testparm or
--libdir option?" % samba3.privatedir_path("secrets.tdb"), str(e))
-------------------SECOND VARIATION (where "--libdir" points to the
/etc/samba3 database directory):
<samba4:dev>? sudo /usr/local/samba/sbin/samba-tool domain samba3upgrade
--libdir /etc/samba3 -d 256 /etc/samba3/smb.conf
INFO: Current debug levels:
all: 256
tdb: 256
printdrivers: 256
lanman: 256
smb: 256
rpc_parse: 256
rpc_srv: 256
rpc_cli: 256
passdb: 256
sam: 256
auth: 256
winbind: 256
vfs: 256
idmap: 256
quota: 256
acls: 256
locking: 256
msdfs: 256
dmapi: 256
registry: 256
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
Reading smb.conf
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba3/smb.conf"
Processing section "[global]"
doing parameter wins support = yes
doing parameter dns proxy = yes
doing parameter message command = bash -c 'cat %s | logger -t %f' &
doing parameter name resolve order = wins bcast
doing parameter security = user
doing parameter time server = yes
doing parameter server string = ""
doing parameter interfaces = 10.4.1.1/23
doing parameter username map = /etc/samba/smbusermap
doing parameter printing = lprng
doing parameter load printers = yes
doing parameter printcap = /etc/printcap
doing parameter cups options = "raw"
doing parameter printer admin = @dom_admin
WARNING: The "printer admin" option is deprecated
doing parameter print command = /usr/bin/lpr -P%p -Ccut.no_ff %s; rm %s
doing parameter socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter read raw = no
doing parameter large readwrite = yes
doing parameter kernel oplocks = yes
doing parameter veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF
doing parameter smb ports = 139 445
doing parameter force create mode = 660
doing parameter directory mask = 2770
doing parameter force directory mode = 2000
doing parameter dos filetimes = yes
doing parameter min print space = 2048
doing parameter veto files = lost+found/proc/dev
doing parameter read only = no
doing parameter dos filetime resolution = yes
doing parameter passdb backend = tdbsam guest
doing parameter encrypt passwords = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/local/sbin/sysadm-samba.pl--changepw=%u
doing parameter passwd chat = *new*password* %n\n *changed*
doing parameter passdb backend = tdbsam
doing parameter add machine script = /usr/sbin/adduser -n -g machines -c
Machine -d /dev/null -s /bin/false %u
doing parameter logon drive = N:
doing parameter logon home = \\%L\%U
doing parameter logon path =
doing parameter netbios name = ADAM
doing parameter netbios aliases = NTINSTALL
doing parameter name cache timeout = 60
doing parameter workgroup = OMUSA
doing parameter dos charset = CP850
doing parameter debug level = 1
WARNING: The "null passwords" option is deprecated
WARNING: The "password level" option is deprecated
WARNING: The "share modes" option is deprecated
WARNING: The "share modes" option is deprecated
Provisioning
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: No realm specified in smb.conf file and being a DC. That
upgrade path doesn't work! Please add a 'realm' directive to your old
smb.conf to let us know which one you want to use (it is the DNS name of the
AD domain you wish to create.
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 135, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
629, in run
useeadb=eadb)
File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py", line
484, in upgrade_from_samba3
raise ProvisioningError("No realm specified in smb.conf file and being a
DC. That upgrade path doesn't work! Please add a 'realm' directive to your
old smb.conf to let us know which one you want to use (it is the DNS name of
the AD domain you wish to create.")
---------------------------------
This looks like an error in how my old domain was set up in the original
system ("No realm specified in smb.conf"), which wouldn't surprise me in the
least! This seems strange though, since according to the notes in the
smb.conf file, the "realm" parameter is only supposed to be used when you
are using "security=ads".
--
Charles Tryon
_________________________________________________________________________
"It's the job that's never started that takes longest to finish."
-- Samwise Gamgee
More information about the samba-technical
mailing list