Upgrade leaves an inoperate Administrator account [Was: Upgrade from S3 to a Samba4 DC]

Andrew Bartlett abartlet at samba.org
Tue Sep 20 09:16:04 MDT 2011 

On Mon, 2011-09-19 at 22:20 +0200, Pavel Herrmann wrote:
> On Monday 19 of September 2011 16:03:20 Adam Tauno Williams wrote:
> > Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> > > Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> > >> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> > >>> Quoting Adam Tauno Williams <awilliam at whitemice.org>
> > >>> 
> > >>>> Quoting Andrew Bartlett <abartlet at samba.org>:
> > >>>>> The command has also been renamed in preparation for the Samba
> > >>>>> 4.0 alpha 17 release, it is now 'samba domain samba3upgrade'.
> > >>>> 
> > >>>> I'm puzzled by how to read that.  Does that mean I use the
> > >>>> "samba" program to invoke the upgrade?  After a git pull the
> > >>>> previous upgrade script is gone;  but the syntax to get the same
> > >>>> functionality doesn't seem obvious.
> > >>>> /opt/s4/sbin/samba domain samba3upgrade --help
> > >>>> doesn't provide any insight.
> > >>> 
> > >>> Ah ha!  You meant "samba-tool domain samba3upgrade"
> > >> 
> > >> smbclient --version
> > >> Version 4.0.0alpha18-GIT-fa5475e
> > >> This works, with one bug.  It doesn't generate an Administrator
> > >> password (which the previous script would auto-generate one).
> > >> $ export PATH=$PATH:/opt/s4/bin:/opt/s4/sbin
> > >> $ samba-tool domain samba3upgrade --libdir=/tmp/x /tmp/x/smb.conf
> > >> ....
> > >> Server Role:           domain controller
> > >> Hostname:              BARBEL
> > >> NetBIOS Domain:        BACKBONE
> > >> DNS Domain:            micore.us
> > >> DOMAIN SID:            S-1-5-21-2037442776-**************
> > >> Admin password:        None  <<<< ????
> > >> Importing WINS database
> > >> Importing Account policy
> > >> ....
> > >> Which then leaves me puzzled how to set an administrator password.
> > >> "samba-tool domain samba3upgrade --help" doesn't mention a
> > >> parameter to predetermine one.
> > >> "samba-tool user password --username=administrator" prompts for a
> > >> password.  Entering a blank password doesn't seem to explicitly
> > >> fail but the operation fails with -
> > >> ERROR: Failed to change password : Connection to SAMR pipe of PDC
> > >> of domain 'BACKBONE' failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> > > 
> > > linux-hvej:~ # samba-tool domain samba3upgrade --libdir=/tmp/x
> > > --adminpass=somepassword /tmp/x/smb.conf
> > > Usage: samba-tool domain samba3upgrade [options] <samba3_smb_conf>
> > > 
> > > samba-tool: error: no such option: --adminpass
> > 
> > I can't get to a working Administrator account.
> > 
> >   --- set the administrator password with "setpassword"
> > 
> > linux-hvej:~ # /opt/s4/sbin/samba-tool user setpassword administrator
> > New Password:
> > Changed password OK
> > 
> >   --- kinit says my password expired, and can't change it (???)
> > 
> > linux-hvej:~ # kinit administrator at MICORE.US
> > Password for administrator at MICORE.US:
> > Password expired.  You must change it now.
> > Enter new password:
> > Enter it again:
> > kinit: Password has expired while getting initial credentials4
> 
> you can try setting passwords to never expire
> 
> samba-tool pwsettings set --max-pwd-age=0

If this is required, it means that the password polices were not
upgraded correctly.  This was a bug in earlier versions of this tool,
but I thought it had been fixed. 

Adam,

If this is still happening with current GIT, can you get me the ldif of
your domain object?  I want to check that the maxPwdAge is is negative
nanoseconds, not positive seconds.  (NTTIME vs unix time).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list