samba3upgrade migration results, issues, questions

Andrew Bartlett abartlet at samba.org
Mon May 7 03:23:26 MDT 2012 

On Mon, 2012-05-07 at 13:12 +0400, Sergey Urushkin wrote:
> 
> Andrew Bartlett писал 07.05.2012 02:30:
> > On Fri, 2012-05-04 at 15:46 +0400, Sergey Urushkin wrote:
> >
> >>
> >> Backing to the small domain... seems it's not the same bug.
> >> There I have max-pwd-age=0, but the problem still exists. Using
> >> ldbsearch I found that all accounts "accountExpires" attribute is 
> >> set to
> >> "116444735990000000" (23:59:59 - 01.01.1970).
> >> Setting it to a lager value e.g. "136444735990000000" (2033y) fixes
> >> account. So, I tried to view s3.0 tdb account via s3.6 pdbedit tool:
> >>
> >> Unix username:        pc106
> >> NT username:
> >> Account Flags:        [U          ]
> >> User SID:             S-1-5-21-2558268738-2209604249-3907695097-3026
> >> Primary Group SID:    (NULL SID)
> >> Full Name:            Samba_User &
> >> Home Directory:       \\fw\pc106
> >> HomeDir Drive:
> >> Logon Script:
> >> Profile Path:
> >> Domain:               DOMAIN
> >> Account desc:
> >> Workstations:
> >> Munged dial:
> >> Logon time:           0
> >> Logoff time:          9223372036854775807 seconds since the Epoch
> >> Kickoff time:         9223372036854775807 seconds since the Epoch
> >> Password last set:    Fri, 15 Apr 2011 10:17:59 MSK
> >> Password can change:  Fri, 15 Apr 2011 10:17:59 MSK
> >> Password must change: never
> >> Last bad password   : 0
> >> Bad password count  : 0
> >> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> >>
> >> As you can see Logoff/Kickoff values are very strange and 'primary 
> >> group
> >> sid' is null. That's about all users.
> >> It is an old-old "magic" samba 3.0.x db provisioned by another 
> >> person a
> >> long time ago on FreeBSD 4.4 :)
> >
> > Please let me know if this fixes it.
> >
> The problem still exists.
> 
> s4's pdbedit gives me another data, but it seems to use s4 db not s3, 
> so it wouldn't help. May be some another data may help here?
> 
> Also, I have to say that I gave you a wrong suggestion in my previous 
> message that this is the same bug.
> The small domain problem is that all accounts are imported expired 
> (accountexpires attr) and the fact they are not asked to change their 
> passwords is normal, because accounts has already expired.

So, what I need to work out is what the value (at a time_t, integer
value since 1970) this is triggering with, so I can fix it.  

Thinking about this again, I think this patch is what is required.
Please let me know.

> The big domain problem I've mentioned in my previous message is that if 
> account's password expires (pwdlastset attr), it is not asked to change 
> account's password via kinit and this is _not_ normal, because password 
> has expired only, not account.

I still need to investigate this.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-lib-util-Map-0x7fffffffffffffffLL-as-0x7ffffffffffff.patch
Type: text/x-patch
Size: 797 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120507/b32e87a7/attachment.bin>

More information about the samba-technical mailing list