[Samba] Migration, which password?

Tue Jul 27 17:22:08 GMT 2004

Greetings!

    It is premature for me to send out a "success procedure for migration"
yesterday. I overlooked things and I appologize for to this group.

    Anyway, after migration, computers, users, groups are all created and
filled up with the correct membership. However, I still have the same
problem with machine password and user password. Further looking into the
detail, it looks like samba/ldap does not use LM/NT password for
authentication but expect userPassword, which I assume is posix account
password and did not exist on the original NT4 server.

   Here is my account entry after the migration:
======================================================
dn: uid=ksun,ou=Users,dc=ab,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: ksun
sn: ksun
uid: ksun
uidNumber: 1870
gidNumber: 513
homeDirectory: /u/ksun
loginShell: /bin/tcsh
gecos: System User
description: System User
userPassword: {crypt}x
sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
sambaLogonTime: 1090859130
sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
sambaPwdLastSet: 1069686468
sambaAcctFlags: [NU         ]
=======================================================

   It looks like the migration does create LM password and NT password.
However, I cannot log in to my account unless I change my password.
This is how my account look like after  "smbldap-passwd ksun" to the
original password:

----------------------------------------------------------------------------
-----
dn: uid=ksun,ou=Users,dc=ab,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: ksun
sn: ksun
uid: ksun
uidNumber: 1870
gidNumber: 513
homeDirectory: /u/ksun
loginShell: /bin/tcsh
gecos: System User
description: System User
sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
sambaLogonTime: 1090859130
sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
sambaAcctFlags: [U]
sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
sambaPwdLastSet: 1090946249
sambaPwdMustChange: 1094834249
userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q==
----------------------------------------------------------------------------
------
    Look at the difference of these two outputs:

+++++++++++++++++++++++++++++++++++++++++++++++
12d11
< userPassword: {crypt}x
16a16
> sambaAcctFlags: [U]
18,19c18,20
< sambaPwdLastSet: 1069686468
< sambaAcctFlags: [NU         ]
---
> sambaPwdLastSet: 1090946249
> sambaPwdMustChange: 1094834249
> userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q==
+++++++++++++++++++++++++++++++++++++++++++++++
   Surprisingly, the neither NT nor LM passwords changed. The different is
the "userPassword", which I assume is the Posix account password, which does
not exist in the old NT PDC at all! Of course the migration won't have the
right password.

    I do have "ldap passwd sync = Yes" in my smb.conf file, questions are:
    1. Why samba/ldap authenticate using posix password instead of LM/NT
passwords?
    2. Does it synchronize the userPassord password to the NT/LM password or
the otherway around?
    3. When does the synchronization happens or being triggered?
    4. Is there a way of  manually "copy" the LM/NT password to userPassword
field?

    The other difference is the change of the sambaAcctFlag: [U    ] instead
of [NU  ]. I wonder if that changes anything.

    Thanks!

-- Kang