samba3upgrade migration results, issues, questions
Andrew Bartlett
abartlet at samba.org
Mon May 7 04:48:50 MDT 2012
On Mon, 2012-05-07 at 19:23 +1000, Andrew Bartlett wrote:
> On Mon, 2012-05-07 at 13:12 +0400, Sergey Urushkin wrote:
> >
> > Andrew Bartlett писал 07.05.2012 02:30:
> > > On Fri, 2012-05-04 at 15:46 +0400, Sergey Urushkin wrote:
> > >
> > >>
> > >> Backing to the small domain... seems it's not the same bug.
> > >> There I have max-pwd-age=0, but the problem still exists. Using
> > >> ldbsearch I found that all accounts "accountExpires" attribute is
> > >> set to
> > >> "116444735990000000" (23:59:59 - 01.01.1970).
> > >> Setting it to a lager value e.g. "136444735990000000" (2033y) fixes
> > >> account. So, I tried to view s3.0 tdb account via s3.6 pdbedit tool:
> > >>
> > >> Unix username: pc106
> > >> NT username:
> > >> Account Flags: [U ]
> > >> User SID: S-1-5-21-2558268738-2209604249-3907695097-3026
> > >> Primary Group SID: (NULL SID)
> > >> Full Name: Samba_User &
> > >> Home Directory: \\fw\pc106
> > >> HomeDir Drive:
> > >> Logon Script:
> > >> Profile Path:
> > >> Domain: DOMAIN
> > >> Account desc:
> > >> Workstations:
> > >> Munged dial:
> > >> Logon time: 0
> > >> Logoff time: 9223372036854775807 seconds since the Epoch
> > >> Kickoff time: 9223372036854775807 seconds since the Epoch
> > >> Password last set: Fri, 15 Apr 2011 10:17:59 MSK
> > >> Password can change: Fri, 15 Apr 2011 10:17:59 MSK
> > >> Password must change: never
> > >> Last bad password : 0
> > >> Bad password count : 0
> > >> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > >>
> > >> As you can see Logoff/Kickoff values are very strange and 'primary
> > >> group
> > >> sid' is null. That's about all users.
> > >> It is an old-old "magic" samba 3.0.x db provisioned by another
> > >> person a
> > >> long time ago on FreeBSD 4.4 :)
> > >
> > > Please let me know if this fixes it.
> > >
> > The problem still exists.
> >
> > s4's pdbedit gives me another data, but it seems to use s4 db not s3,
> > so it wouldn't help. May be some another data may help here?
> >
> > Also, I have to say that I gave you a wrong suggestion in my previous
> > message that this is the same bug.
> > The small domain problem is that all accounts are imported expired
> > (accountexpires attr) and the fact they are not asked to change their
> > passwords is normal, because accounts has already expired.
>
> So, what I need to work out is what the value (at a time_t, integer
> value since 1970) this is triggering with, so I can fix it.
>
> Thinking about this again, I think this patch is what is required.
> Please let me know.
(corrected patch attached)
> > The big domain problem I've mentioned in my previous message is that if
> > account's password expires (pwdlastset attr), it is not asked to change
> > account's password via kinit and this is _not_ normal, because password
> > has expired only, not account.
>
> I still need to investigate this.
>
> Andrew Bartlett
>
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-lib-util-Map-0x7fffffffffffffffLL-as-0x7ffffffffffff.patch
Type: text/x-patch
Size: 801 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120507/6556f452/attachment.bin>
More information about the samba-technical
mailing list