[Samba] vampire an NT4 PDC

Guillaume LACHENAL glachenal at on-x.com
Thu Apr 10 09:14:43 GMT 2003 

Hi !

We're trying to migrate our NT4 PDC into a Samba one.

Our env :

NT4_PDC is in subnet A and also provide WINS service
SAMBA_SRV is in subnet B and is running :
  * samba-3.0alpha23
  * openldap-2.1.16
  * smbldap-tools-0.7 from IDEALX

samba is compiled with --with-ldap --with-ldapsam --with-syslog

openldap is first populated with :
# ldapadd -x -h localhost -D "ROOTDN" -W -f base.ldif
(following SAMBA-LDAP-PDC Howto from IDEALX, for short OU=Users, 
OU=Groups, OU=Computers, and the default groups of an NT4 PDC)

smbldap-tools are working, except creating a Workstation account which 
exits with :
 > ldapadd: update failed: uid=TESTCOMPUTER1$,ou=Computers,dc=O
 > ldap_add: Object class violation (65)
 >         additional info: no structural object class provided
 > /usr/local/sbin/smbldap-useradd.pl: error while adding posix account 
to machine TESTCOMPUTER1$


Here is the process we follow :

1. samba is first set up as a BDC for our domain
(security=user, domain logons = yes, domain master = no)

2. SAMBA_SRV join OURDOMAIN
# net rpc join -U DOMAINADMIN -w OURDOMAIN

3. We test the vampire possibility with :
# net rpc samdump -U DOMAINADMIN

4. As our backend is ldap, we have to store the ldap admin password in 
secrets.tdb
# smbpasswd -w SECRET

Note: as an improvement, I think it would be better to supply the 
password after a prompt instead of a command parameter. This will make 
it not to be saved in syslog if issued via sudo

5. and finaly, the so long awaited :
# net rpc vampire

We observed that Users|Computers|Groups objects are not stored under the
Users|Computers|Groups OU but just under O even with the "add user 
script" correctly set up to the smbldap-tools one. And as the 
smbldap-adduser.pl -w failed, I don't think net rpc vampire use the "add 
user script".

As a first test we move a domain member workstation from subnet A to 
subnet B, and try to login with a domain users account.

It failed with : (translated from french)
" The system can't open a session on this domain because the computer's 
system account in his principal domain is missing or the password is 
incorrect "

Inspecting the ldap attributes of this computer object, we can see 
something strange : all computer accounts (seems to) have "ntPassword" 
set but not all have "lmPassword" (the computer we use has not)

Any help/idea welcome !

Thanks in advance.

Regards,

  -Guillaume-

More information about the samba mailing list