[Samba] Samba/LDAP/PDC Questions

Eric J Bennett eric.bennett at itouch.com.au
Tue Jul 27 00:41:37 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Attempting vampire here when everything else works results in user
accounts being created in the LDAP directory (and with a slight ugly
hackish modification to the idealx smbldap-useradd script, posix
accounts being created) and NTLM password hashes being set in the LDAP
tree, and computer accounts being created *but* here is the catch, the
NTLM password hashes for computer accounts are not created.

So if we think of it as a four step process;

1. Create user accounts *OK*
2. Set user account password hashes *OK*
3. Create Machine accounts *OK*
4. Set Machine account password hashes *FAIL*

Of course I'm not bothering to mention the other stuff that it does
cause it's all a bit of black magic to me, but you get the general idea,
it creates user groups as well and associates the appropriate accounts
with the appropriate groups and handles the Unix UID / GID mapping to
the NT equivalent security information.

I'm trying to get more information on the entire process to provide
debug logs to the samba team et al, but I've just been flat out on other
stuff in the meantime which unfortunately has a higher priority than
this at the moment, but I'll endeavour to get the diagnostic info asap,
if someone else wanted to do it before me though, I assume the
interesting stuff would be;

smbd -d 10 -i > smbd.log 2>&1

tcpdump packet capture of traffic between NT PDC and Linux vampire process

strace -f net rpc vampire -S pdc -U administrator%password > vampire.log
2>&1

And try to make sure you're not broadcasting your password hashes in
potentially public bug logs. ^^

What I can tell you from looking at the process so far, is that the NT
PDC is *definitely* providing machine account password hashes, it just
appears that whatever samba should be doing with them, it is not.

Best of luck

Regards

Eric J Bennett



Paul Gienger wrote:
| I'm not at all experienced with the vampire command, but I believe it is
| supposed to bring passwords over.  Perhaps someone can interject here
| who does know what they're talking about???
|
| (note: bringing back on list from an accidental, i suspect, pm)
|
| Kang Sun wrote:
|
|>
|> Hello Paul,
|>
|>         I have questions on migration. Some other people like Eric
|> Bennet and Mike Brodbelt posted the similar questions. But I cannot
|> find a definite answer to this question: would vampiring using
|> samba/ldap/smbldap-tools actually migrates passwords at all?
|>
|>         If the "add user/machine script" from smb.conf is the only
|> tool vampiring process is calling, it certainly won't create password.
|> Below are the conversation between me and Mike. I hope you can help us.
|>
|> -- Kang
|>
|> Kang Sun wrote:
|> > Hello Mike,
|> >
|> > I did similar things and have similar problems.
|> > I looked at the ldap database, the migration did nothing but get all
|> the
|> > names of users and machines.
|> > If the smbldap-* scripts are the only things vampire process is
|> calling, I
|> > don't see how would it would get  anything else.
|>
|> Agreed, although when migrating with a tdbsam backend, the vampire
|> process will populate the tdbsam with NT passwords and suchlike, but
|> also runs the useradd scripts to add the posix users, so I thought that
|> there may be some other data that Samba puts into LDAP directly, not via
|> invoking the scripts.
|>
|> The documentation from John Terpstra's book (available online at
|> http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828)
|> suggests that the process should work with an LDAP backend, but I'm
|> currently at a loss to see howm and I'm unable to replicate this, even
|> on a test network, with various versions of the Idealx smbldap-tools. It
|> doesn't appear to work as advertised at the moment.
|>
|> > After vampiring,
|> >
|> > 1. All the computer accounts and user accounts (posixAccount as
|> well) are
|> > created just like being created by by smbldap-useradd, with the default
|> > parameters as defined in the smbldap.conf or smbldap_config.pm, eg,
|> > profiles, logon scripts, etc, user name, etc.
|>
|> Yes, this seems to work when run from the command line. Vampiring seems
|> to throw up some errors that I've not tracked down yet though.
|>
|> > 2. Users lost its domain membership. Every user accounts are now
|> belonging
|> > to "Domain Users" group. No one in "Domain Admins" group except
|> > Administrator.
|> >
|> > The migration process must have done more than just calling these
|> > smbldap-tools scripts, but I just don't see the effect.
|> >
|> > What do you see if you do
|> > smbldap-usershow <userid> or <machinename>$  ?
|>
|> # smbldap-usershow detritus
|> dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk
|> objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSAMAccount
|> cn: rwind
|> sn: rwind
|> uid: rwind
|> uidNumber: 1006
|> gidNumber: 513
|> homeDirectory: /home/rwind
|> loginShell: /bin/bash
|> gecos: System User
|> description: System User
|> userPassword: {crypt}x
|> sambaPwdLastSet: 0
|> sambaLogonTime: 0
|> sambaLogoffTime: 2147483647
|> sambaKickoffTime: 2147483647
|> sambaPwdCanChange: 0
|> sambaPwdMustChange: 2147483647
|> displayName: System User
|> sambaAcctFlags: [UX]
|> sambaSID: S-1-5-21-2704678572-2069052080-1039482078-3012
|> sambaLMPassword: XXX
|> sambaPrimaryGroupSID: S-1-5-21-2704678572-2069052080-1039482078-513
|> sambaProfilePath: \\TALITHA\profiles\rwind
|> sambaHomePath: \\TALITHA\home\rwind
|> sambaHomeDrive: M:
|> sambaNTPassword: XXX
|>
|> # smbldap-usershow "quirm$"
|> dn: uid=quirm$,ou=Computers,dc=acu,dc=ac,dc=uk
|> objectClass: top,inetOrgPerson,posixAccount
|> cn: quirm$
|> sn: quirm$
|> uid: quirm$
|> uidNumber: 1013
|> gidNumber: 515
|> homeDirectory: /dev/null
|> loginShell: /bin/false
|> description: Computer
|>
|> > or smbldap-groupshow <groupid>  ?
|>
|> # smbldap-groupshow "Domain Admins"
|> dn: cn=Domain Admins,ou=Groups,dc=acu,dc=ac,dc=uk
|> objectClass: posixGroup,sambaGroupMapping
|> gidNumber: 512
|> cn: Domain Admins
|> memberUid: Administrator
|> description: Netbios Domain Administrators
|> sambaSID: S-1-5-21-2704678572-2069052080-1039482078-512
|> sambaGroupType: 2
|> displayName: Domain Admins
|>
|>
|> So all that seems to have worked. It's just that some of the information
|> hasn't migrated across, and in the context of a transparent migration
|> off the NT4 server, the information that hasn't propagated is a
|> showstopper. Despite reading all the docs I can lay hands on, I still
|> can't see why, and the vampire process is not transparent to me - the
|> docs just assume it'll work completely or not at all - there's nothing
|> to tell one how to try and troubleshoot it if it half works, which is
|> what's happening for me.
|>
|> Mike.
|>
|> ForwardSourceID:NT00009A52
|> "Eric J Bennett" <eric.bennett at itouch.com.au> wrote in message
|> news:<40FB1140.6020103 at itouch.com.au>...
|> > Hi all,
|> >
|> > I'm really lost here, I do net rpc vampire and it works perfectly for
|> > user accounts (sets NTLM pass etc) and creates machine accounts, but
|> > fails to allocate their password hashes, I think it's calling the
|> > smbldap-useradd utility to add accounts for machines, but I don't see
|> > why this would make the hashes transfer for users but not machines?
|> >
|> > Any help much appreciated.
|> >
|> > Regards
|> > Eric Bennett
|> >
|> > --
|> > To unsubscribe from this list go to the following URL and read the
|> > instructions:  http://lists.samba.org/mailman/listinfo/samba
|> >
|> ForwardSourceID:NT00009A72
|
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBBaTB3xh0GTRQuR4RAmMAAJ93k3wybUveIYP3Rm3NyRFYRpIp0ACdEYST
EsK6U0ClGP4vP84HRVkKDGk=
=lQbe
-----END PGP SIGNATURE-----


More information about the samba mailing list