samba3upgrade migration results, issues, questions

Andrew Bartlett abartlet at samba.org
Mon May 7 04:48:50 MDT 2012


On Mon, 2012-05-07 at 19:23 +1000, Andrew Bartlett wrote:
> On Mon, 2012-05-07 at 13:12 +0400, Sergey Urushkin wrote:
> > 
> > Andrew Bartlett писал 07.05.2012 02:30:
> > > On Fri, 2012-05-04 at 15:46 +0400, Sergey Urushkin wrote:
> > >
> > >>
> > >> Backing to the small domain... seems it's not the same bug.
> > >> There I have max-pwd-age=0, but the problem still exists. Using
> > >> ldbsearch I found that all accounts "accountExpires" attribute is 
> > >> set to
> > >> "116444735990000000" (23:59:59 - 01.01.1970).
> > >> Setting it to a lager value e.g. "136444735990000000" (2033y) fixes
> > >> account. So, I tried to view s3.0 tdb account via s3.6 pdbedit tool:
> > >>
> > >> Unix username:        pc106
> > >> NT username:
> > >> Account Flags:        [U          ]
> > >> User SID:             S-1-5-21-2558268738-2209604249-3907695097-3026
> > >> Primary Group SID:    (NULL SID)
> > >> Full Name:            Samba_User &
> > >> Home Directory:       \\fw\pc106
> > >> HomeDir Drive:
> > >> Logon Script:
> > >> Profile Path:
> > >> Domain:               DOMAIN
> > >> Account desc:
> > >> Workstations:
> > >> Munged dial:
> > >> Logon time:           0
> > >> Logoff time:          9223372036854775807 seconds since the Epoch
> > >> Kickoff time:         9223372036854775807 seconds since the Epoch
> > >> Password last set:    Fri, 15 Apr 2011 10:17:59 MSK
> > >> Password can change:  Fri, 15 Apr 2011 10:17:59 MSK
> > >> Password must change: never
> > >> Last bad password   : 0
> > >> Bad password count  : 0
> > >> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > >>
> > >> As you can see Logoff/Kickoff values are very strange and 'primary 
> > >> group
> > >> sid' is null. That's about all users.
> > >> It is an old-old "magic" samba 3.0.x db provisioned by another 
> > >> person a
> > >> long time ago on FreeBSD 4.4 :)
> > >
> > > Please let me know if this fixes it.
> > >
> > The problem still exists.
> > 
> > s4's pdbedit gives me another data, but it seems to use s4 db not s3, 
> > so it wouldn't help. May be some another data may help here?
> > 
> > Also, I have to say that I gave you a wrong suggestion in my previous 
> > message that this is the same bug.
> > The small domain problem is that all accounts are imported expired 
> > (accountexpires attr) and the fact they are not asked to change their 
> > passwords is normal, because accounts has already expired.
> 
> So, what I need to work out is what the value (at a time_t, integer
> value since 1970) this is triggering with, so I can fix it.  
> 
> Thinking about this again, I think this patch is what is required.
> Please let me know.

(corrected patch attached)

> > The big domain problem I've mentioned in my previous message is that if 
> > account's password expires (pwdlastset attr), it is not asked to change 
> > account's password via kinit and this is _not_ normal, because password 
> > has expired only, not account.
> 
> I still need to investigate this.
> 
> Andrew Bartlett
> 

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-lib-util-Map-0x7fffffffffffffffLL-as-0x7ffffffffffff.patch
Type: text/x-patch
Size: 801 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120507/6556f452/attachment.bin>


More information about the samba-technical mailing list