[Samba] Samba/LDAP/PDC Questions

Paul Gienger pgienger at ae-solutions.com
Mon Jul 26 14:23:16 GMT 2004 

I'm not at all experienced with the vampire command, but I believe it is 
supposed to bring passwords over.  Perhaps someone can interject here 
who does know what they're talking about???

(note: bringing back on list from an accidental, i suspect, pm)

Kang Sun wrote:

>
> Hello Paul,
>
>         I have questions on migration. Some other people like Eric 
> Bennet and Mike Brodbelt posted the similar questions. But I cannot 
> find a definite answer to this question: would vampiring using 
> samba/ldap/smbldap-tools actually migrates passwords at all?
>
>         If the "add user/machine script" from smb.conf is the only 
> tool vampiring process is calling, it certainly won't create password. 
> Below are the conversation between me and Mike. I hope you can help us.
>
> -- Kang
>
> Kang Sun wrote:
> > Hello Mike,
> >
> > I did similar things and have similar problems.
> > I looked at the ldap database, the migration did nothing but get all the
> > names of users and machines.
> > If the smbldap-* scripts are the only things vampire process is 
> calling, I
> > don't see how would it would get  anything else.
>
> Agreed, although when migrating with a tdbsam backend, the vampire
> process will populate the tdbsam with NT passwords and suchlike, but
> also runs the useradd scripts to add the posix users, so I thought that
> there may be some other data that Samba puts into LDAP directly, not via
> invoking the scripts.
>
> The documentation from John Terpstra's book (available online at
> http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828)
> suggests that the process should work with an LDAP backend, but I'm
> currently at a loss to see howm and I'm unable to replicate this, even
> on a test network, with various versions of the Idealx smbldap-tools. It
> doesn't appear to work as advertised at the moment.
>
> > After vampiring,
> >
> > 1. All the computer accounts and user accounts (posixAccount as 
> well) are
> > created just like being created by by smbldap-useradd, with the default
> > parameters as defined in the smbldap.conf or smbldap_config.pm, eg,
> > profiles, logon scripts, etc, user name, etc.
>
> Yes, this seems to work when run from the command line. Vampiring seems
> to throw up some errors that I've not tracked down yet though.
>
> > 2. Users lost its domain membership. Every user accounts are now 
> belonging
> > to "Domain Users" group. No one in "Domain Admins" group except
> > Administrator.
> >
> > The migration process must have done more than just calling these
> > smbldap-tools scripts, but I just don't see the effect.
> >
> > What do you see if you do
> > smbldap-usershow <userid> or <machinename>$  ?
>
> # smbldap-usershow detritus
> dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk
> objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSAMAccount
> cn: rwind
> sn: rwind
> uid: rwind
> uidNumber: 1006
> gidNumber: 513
> homeDirectory: /home/rwind
> loginShell: /bin/bash
> gecos: System User
> description: System User
> userPassword: {crypt}x
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> displayName: System User
> sambaAcctFlags: [UX]
> sambaSID: S-1-5-21-2704678572-2069052080-1039482078-3012
> sambaLMPassword: XXX
> sambaPrimaryGroupSID: S-1-5-21-2704678572-2069052080-1039482078-513
> sambaProfilePath: \\TALITHA\profiles\rwind
> sambaHomePath: \\TALITHA\home\rwind
> sambaHomeDrive: M:
> sambaNTPassword: XXX
>
> # smbldap-usershow "quirm$"
> dn: uid=quirm$,ou=Computers,dc=acu,dc=ac,dc=uk
> objectClass: top,inetOrgPerson,posixAccount
> cn: quirm$
> sn: quirm$
> uid: quirm$
> uidNumber: 1013
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
>
> > or smbldap-groupshow <groupid>  ?
>
> # smbldap-groupshow "Domain Admins"
> dn: cn=Domain Admins,ou=Groups,dc=acu,dc=ac,dc=uk
> objectClass: posixGroup,sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> memberUid: Administrator
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-2704678572-2069052080-1039482078-512
> sambaGroupType: 2
> displayName: Domain Admins
>
>
> So all that seems to have worked. It's just that some of the information
> hasn't migrated across, and in the context of a transparent migration
> off the NT4 server, the information that hasn't propagated is a
> showstopper. Despite reading all the docs I can lay hands on, I still
> can't see why, and the vampire process is not transparent to me - the
> docs just assume it'll work completely or not at all - there's nothing
> to tell one how to try and troubleshoot it if it half works, which is
> what's happening for me.
>
> Mike.
>
> ForwardSourceID:NT00009A52    
>
> "Eric J Bennett" <eric.bennett at itouch.com.au> wrote in message 
> news:<40FB1140.6020103 at itouch.com.au>...
> > Hi all,
> >
> > I'm really lost here, I do net rpc vampire and it works perfectly for
> > user accounts (sets NTLM pass etc) and creates machine accounts, but
> > fails to allocate their password hashes, I think it's calling the
> > smbldap-useradd utility to add accounts for machines, but I don't see
> > why this would make the hashes transfer for users but not machines?
> >
> > Any help much appreciated.
> >
> > Regards
> > Eric Bennett
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
> ForwardSourceID:NT00009A72     


-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger at ae-solutions.com

More information about the samba mailing list