[Samba] Migration, which password?

Umberto Zanatta uzanatta at provincia.treviso.it
Tue Jul 27 17:43:31 GMT 2004 

Il mar, 2004-07-27 alle 19:22, Kang Sun ha scritto:

> Greetings!
> 
>     It is premature for me to send out a "success procedure for migration"
> yesterday. I overlooked things and I appologize for to this group.
> 
>     Anyway, after migration, computers, users, groups are all created and
> filled up with the correct membership. However, I still have the same
> problem with machine password and user password. Further looking into the
> detail, it looks like samba/ldap does not use LM/NT password for
> authentication but expect userPassword, which I assume is posix account
> password and did not exist on the original NT4 server.


No, it doesn't.

Your account was disabled by [NU]; When you had modify it by smbldap,
your account flags
changed in [U].

LDAP backend doesn't require unix account, but smbldap-tools does samba
and posix account together.

NT Password is managed by different way; you can't do unixpass->ntpass
and viceversa.

You should do:

# smbpasswd -e userid

and userid will be enable.

# smbpasswd -d userid

and userid will be disable.

regards.


> 
>    Here is my account entry after the migration:
> ======================================================
> dn: uid=ksun,ou=Users,dc=ab,dc=com
> objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
> cn: ksun
> sn: ksun
> uid: ksun
> uidNumber: 1870
> gidNumber: 513
> homeDirectory: /u/ksun
> loginShell: /bin/tcsh
> gecos: System User
> description: System User
> userPassword: {crypt}x
> sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
> sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
> sambaLogonTime: 1090859130
> sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
> sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
> sambaPwdLastSet: 1069686468
> sambaAcctFlags: [NU         ]
> =======================================================
> 
>    It looks like the migration does create LM password and NT password.
> However, I cannot log in to my account unless I change my password.
> This is how my account look like after  "smbldap-passwd ksun" to the
> original password:
> 
> ----------------------------------------------------------------------------
> -----
> dn: uid=ksun,ou=Users,dc=ab,dc=com
> objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
> cn: ksun
> sn: ksun
> uid: ksun
> uidNumber: 1870
> gidNumber: 513
> homeDirectory: /u/ksun
> loginShell: /bin/tcsh
> gecos: System User
> description: System User
> sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
> sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
> sambaLogonTime: 1090859130
> sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
> sambaAcctFlags: [U]
> sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
> sambaPwdLastSet: 1090946249
> sambaPwdMustChange: 1094834249
> userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q==
> ----------------------------------------------------------------------------
> ------
>     Look at the difference of these two outputs:
> 
> +++++++++++++++++++++++++++++++++++++++++++++++
> 12d11
> < userPassword: {crypt}x
> 16a16
> > sambaAcctFlags: [U]
> 18,19c18,20
> < sambaPwdLastSet: 1069686468
> < sambaAcctFlags: [NU         ]
> ---
> > sambaPwdLastSet: 1090946249
> > sambaPwdMustChange: 1094834249
> > userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q==
> +++++++++++++++++++++++++++++++++++++++++++++++
>    Surprisingly, the neither NT nor LM passwords changed. The different is
> the "userPassword", which I assume is the Posix account password, which does
> not exist in the old NT PDC at all! Of course the migration won't have the
> right password.
> 
>     I do have "ldap passwd sync = Yes" in my smb.conf file, questions are:
>     1. Why samba/ldap authenticate using posix password instead of LM/NT
> passwords?
>     2. Does it synchronize the userPassord password to the NT/LM password or
> the otherway around?
>     3. When does the synchronization happens or being triggered?
>     4. Is there a way of  manually "copy" the LM/NT password to userPassword
> field?
> 
>     The other difference is the change of the sambaAcctFlag: [U    ] instead
> of [NU  ]. I wonder if that changes anything.
> 
>     Thanks!
> 
> -- Kang
> 
> 
> 

_______________________
Umberto Zanatta
linuxDidattica

tel: +39 (335) 54 71 385
email: umberto.z at tin.it
web: http://linuxdidattica.org
_______________________

More information about the samba mailing list