samba3upgrade migration results, issues, questions
Sergey Urushkin
urushkin at telros.ru
Mon May 7 06:17:55 MDT 2012
Andrew Bartlett писал 07.05.2012 14:48:
> On Mon, 2012-05-07 at 19:23 +1000, Andrew Bartlett wrote:
>> On Mon, 2012-05-07 at 13:12 +0400, Sergey Urushkin wrote:
>> >
>> > Andrew Bartlett писал 07.05.2012 02:30:
>> > > On Fri, 2012-05-04 at 15:46 +0400, Sergey Urushkin wrote:
>> > >
>> > >>
>> > >> Backing to the small domain... seems it's not the same bug.
>> > >> There I have max-pwd-age=0, but the problem still exists. Using
>> > >> ldbsearch I found that all accounts "accountExpires" attribute
>> is
>> > >> set to
>> > >> "116444735990000000" (23:59:59 - 01.01.1970).
>> > >> Setting it to a lager value e.g. "136444735990000000" (2033y)
>> fixes
>> > >> account. So, I tried to view s3.0 tdb account via s3.6 pdbedit
>> tool:
>> > >>
>> > >> Unix username: pc106
>> > >> NT username:
>> > >> Account Flags: [U ]
>> > >> User SID:
>> S-1-5-21-2558268738-2209604249-3907695097-3026
>> > >> Primary Group SID: (NULL SID)
>> > >> Full Name: Samba_User &
>> > >> Home Directory: \\fw\pc106
>> > >> HomeDir Drive:
>> > >> Logon Script:
>> > >> Profile Path:
>> > >> Domain: DOMAIN
>> > >> Account desc:
>> > >> Workstations:
>> > >> Munged dial:
>> > >> Logon time: 0
>> > >> Logoff time: 9223372036854775807 seconds since the
>> Epoch
>> > >> Kickoff time: 9223372036854775807 seconds since the
>> Epoch
>> > >> Password last set: Fri, 15 Apr 2011 10:17:59 MSK
>> > >> Password can change: Fri, 15 Apr 2011 10:17:59 MSK
>> > >> Password must change: never
>> > >> Last bad password : 0
>> > >> Bad password count : 0
>> > >> Logon hours :
>> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>> > >>
>> > >> As you can see Logoff/Kickoff values are very strange and
>> 'primary
>> > >> group
>> > >> sid' is null. That's about all users.
>> > >> It is an old-old "magic" samba 3.0.x db provisioned by another
>> > >> person a
>> > >> long time ago on FreeBSD 4.4 :)
>> > >
>> > > Please let me know if this fixes it.
>> > >
>> > The problem still exists.
>> >
>> > s4's pdbedit gives me another data, but it seems to use s4 db not
>> s3,
>> > so it wouldn't help. May be some another data may help here?
>> >
>> > Also, I have to say that I gave you a wrong suggestion in my
>> previous
>> > message that this is the same bug.
>> > The small domain problem is that all accounts are imported expired
>> > (accountexpires attr) and the fact they are not asked to change
>> their
>> > passwords is normal, because accounts has already expired.
>>
>> So, what I need to work out is what the value (at a time_t, integer
>> value since 1970) this is triggering with, so I can fix it.
>>
>> Thinking about this again, I think this patch is what is required.
>> Please let me know.
>
> (corrected patch attached)
Well, seems this issue is also fixed - kinit works fine after patching
and I can see that astronomic meaningless values in the accountexpires
attribute. Thank you.
>
>> > The big domain problem I've mentioned in my previous message is
>> that if
>> > account's password expires (pwdlastset attr), it is not asked to
>> change
>> > account's password via kinit and this is _not_ normal, because
>> password
>> > has expired only, not account.
>>
>> I still need to investigate this.
Will hopefully wait for results, please let me know about it.
--
Best regards,
Sergey Urushkin
More information about the samba-technical
mailing list