samba3upgrade migration results, issues, questions

Sergey Urushkin urushkin at telros.ru
Thu May 3 07:26:56 MDT 2012 


Andrew Bartlett писал 03.05.2012 16:32:
> On Thu, 2012-05-03 at 15:15 +0400, Sergey Urushkin wrote:
>>
>> Andrew Bartlett писал 02.05.2012 07:30:
>> > On Tue, 2012-04-24 at 16:22 +0400, Sergey Urushkin wrote:
>> >>
>> >> 24.04.2012 12:09, Andrew Bartlett написал:
>> >> > On Mon, 2012-04-23 at 16:42 +0400, Sergey Urushkin wrote:
>> >> >> Hi.
>> >> >>
>> >> >>>> 2. All user accounts migrated with their saved passwords, 
>> but
>> >> after
>> >> >>>> migration many (possibly all) users were not able to login.
>> >> Windows
>> >> >>>> showed message about "not enough resources", kinit didn't 
>> work
>> >> too
>> >> >>>> with
>> >> >>>> this message:
>> >> >>>>  kinit: krb5_get_init_creds: No ENC-TS found
>> >> >>>> Changing password didn't help, the only thing that helped 
>> was:
>> >> >>>>  samba-tool user setexpiry user (with any flag - --days,
>> >> --noexpiry)
>> >> >>>> But that's not a serious issue because it can be solved by
>> >> short
>> >> >>>> shell
>> >> >>>> script. Talking about test migration of the big domain this
>> >> issue
>> >> >>>> also
>> >> >>>> exists with rare random users and could be solved the same 
>> way.
>> >> >>> I think this may simply be an issue with the upgrade of the
>> >> maxPwdAge
>> >> >>> policy from S3.  Can you try the attached patch?
>> >> >> Tried it (I see it's already in the master). With the small
>> >> domain tdbs
>> >> >> nothing is changed. With the big domain at least one account 
>> is
>> >> ok now,
>> >> >> but administrator is still affected.
>> >> >>
>> >> >> Here is administrator's openldap data before migration:
>> >> >>
>> >> >> dn: uid=Administrator,....
>> >> >> objectClass: top
>> >> >> objectClass: inetOrgPerson
>> >> >> objectClass: posixAccount
>> >> >> objectClass: shadowAccount
>> >> >> objectClass: sambaSamAccount
>> >> >> objectClass: krb5Principal
>> >> >> objectClass: krb5KDCEntry
>> >> >> cn: Administrator
>> >> >> sn: Administrator
>> >> >> uid: Administrator
>> >> >> gidNumber: 512
>> >> >> homeDirectory: /home/Administrator
>> >> >> loginShell: /bin/bash
>> >> >> description: Built-in account for administering the
>> >> computer/domain
>> >> >> sambaSID: S-1-5-21-1234567890-1234567890-1234567890-500
>> >> >> sambaPrimaryGroupSID:
>> >> S-1-5-21-1234567890-1234567890-1234567890-512
>> >> >> displayName:: 0JDQtNC80LjQvdC40YHRgtGA0LDRgtC+0YAg0YHQtdGC0Lg=
>> >> >> sambaPasswordHistory:
>> >> >> 00000000000000000000000000000000000000000000000000000000
>> >> >>  00000000
>> >> >> krb5PrincipalName: Administrator at TELROS.RU
>> >> >> krb5KDCFlags: 126
>> >> >> gecos: Administrator
>> >> >> sambaKickoffTime: 1999999999
>> >> >> sambaHomePath: \\fsrv\home
>> >> >> sambaPwdMustChange: 1325408428
>> >> >> sambaPwdLastSet: 1322816429
>> >> >> sambaLMPassword: xxxxxxx
>> >> >> sambaNTPassword: xxxxxxx
>> >> >> krb5KeyVersionNumber: 15
>> >> >> krb5Key:: xxx
>> >> >> krb5Key:: xxx
>> >> >> uidNumber: 500
>> >> >> sambaAcctFlags: [UX         ]
>> >> >> sambaBadPasswordCount: 0
>> >> >> sambaBadPasswordTime: 0
>> >> > For the administrator, because it is a default AD account, we 
>> do
>> >> not
>> >> > import it, but instead we simply bring across the password 
>> (only).
>> >> That
>> >> > means we will not bring across the 'password does not expire'
>> >> flag, but
>> >> > the password should be valid for as long as the expiry.
>> >> Alright, but many users in the migrated small domain are not 
>> 'well
>> >> known' and do have this problem.
>> >> I can send you the small domain tdbs if it would help.
>> >> About the big domain. I used this script to check how many 
>> accounts
>> >> beginning  with 'a' are bad in just migrated domain.
>> >>
>> >> for i in `samba-tool user list | grep ^a` ;do
>> >>     samba-tool user setpassword --newpassword=111111 $i > 
>> /dev/null
>> >>     echo 111111 | kinit --password-file=STDIN $i || echo $i
>> >> done
>> >>
>> >> According to it about a half of them are affected. Here is
>> >> openldap-samba data for one of them:
>> >> sambaLogonScript: netlogon.bat
>> >> sambaSID: S-1-5-21-530720856-2058831417-1202159320-1968
>> >> sambaPrimaryGroupSID: 
>> S-1-5-21-530720856-2058831417-1202159320-513
>> >> sambaPasswordHistory:
>> >> 00000000000000000000000000000000000000000000000000000000
>> >> sambaAcctFlags: [U          ]
>> >> sambaBadPasswordCount: 0
>> >> sambaBadPasswordTime: 0
>> >> sambaKickoffTime: 1999999999
>> >> sambaHomePath: \\fsrv\home
>> >> sambaPwdMustChange: 1335676980
>> >> sambaPwdLastSet: 1333084981
>> >> sambaLMPassword: ea70ccc05b2b2d890000000000000000
>> >> sambaNTPassword: d460c18f7a68e2b049468d1aea8e70e5
>> >
>> > What does a working account look like?
>> >
>> > I don't see anything particularly wrong offhand, but I'll keep
>> > looking
>> > into it.
>>
>> After looking deeply I discovered that the only difference between 
>> bad
>> and good accounts is noexpiry 'X' sambaAcctFlag.
>> All accounts that has this flag are good, others are bad. That's why
>> administrator is bad (if it does expire by default after migration).
>> Also, to exclude assumption all bad accounts are really expired, 
>> here
>> is one's password age data:
>> sambaKickoffTime: 1999999999
>> sambaPwdLastSet: 1335526764
>> sambaPwdMustChange: 1338118763
>>
>> With maximum lifetime of the password equal to month (as is) it 
>> should
>> expire not earlier than may 27. Server's time is also right.
>> All these forced me to try:
>> # samba-tool user add testuser 111111          # or net rpc user add
>> testuser 111111
>> User 'testuser' created successfully
>> # echo 111111 | kinit --password-file=STDIN testuser
>> kinit: krb5_get_init_creds: No ENC-TS found
>>
>> So, seems that's not the migration issue...
>> Also, I can see that 'net rpc ... -U administrator' does work while
>> administrator is bad account (shares, kinit, logon doesn't work).
>
> What was the original account policy?
sambaLockoutDuration: 59
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 5
sambaMinPwdLength: 6
sambaPwdHistoryLength: 1
sambaLogonToChgPwd: 1
sambaMaxPwdAge: 2592000
sambaMinPwdAge: 0
sambaForceLogoff: 0

>
> Are you saying that it works for NTLM, but fails for kerberos?  If 
> so,
> that would be very worthwhile to investigate.
I think no, because:
# smbclient -U administrator //s4dc/sysvol
Password for [DOMAIN\administrator]:
Connection to \\s4dc\sysvol failed - NT_STATUS_UNSUCCESSFUL

But 'net rpc add/del user username pass -U administrator' works fine. 
As I know both utilities use NTLM.

I've just tried to provision new clean domain on the same server and 
got no problems with kinit of new/wellknown users. So, it stays 
samba3upgrade issue.
https://bugzilla.samba.org/show_bug.cgi?id=8891 may also be a symptom.

-- 
Best regards,
Sergey Urushkin

More information about the samba-technical mailing list