[Samba] Re: Migration, which password?

Kang Sun ksun at abinitio.com
Tue Jul 27 20:28:54 GMT 2004 

Woa! I actually did the migration correct, it is just a matter of enabling
login ON!!!

I enabled the Administrator login and the my login, and I can acutally login
into the domain! Thank you very much!!! But I wonder why it is not turned on
during and/or after the vampiring process by default.

Further more, I manually copied the shadow password field and insert into
the userPassword field prefixed with {Crypt} and I can also login to the
Unix account!!!

The only obstacle left is the the vampiring process did not seem to set
Machine account password hashes correctly. It is an known problem but no
solution yet according to Eric Bennett. I wonder if there is a way to get
the Machine account password hashes directly from NT PDC and just stick into
the sambaNTpassword fiel, like what I did with the userPassword field.

-- Kang Sun

"Umberto Zanatta" <uzanatta at provincia.treviso.it> wrote in message
news:1090950211.4369.67.camel at debianppc...
> Il mar, 2004-07-27 alle 19:22, Kang Sun ha scritto:
>
> > Greetings!
> >
> >     It is premature for me to send out a "success procedure for
migration"
> > yesterday. I overlooked things and I appologize for to this group.
> >
> >     Anyway, after migration, computers, users, groups are all created
and
> > filled up with the correct membership. However, I still have the same
> > problem with machine password and user password. Further looking into
the
> > detail, it looks like samba/ldap does not use LM/NT password for
> > authentication but expect userPassword, which I assume is posix account
> > password and did not exist on the original NT4 server.
>
>
> No, it doesn't.
>
> Your account was disabled by [NU]; When you had modify it by smbldap,
> your account flags
> changed in [U].
>
> LDAP backend doesn't require unix account, but smbldap-tools does samba
> and posix account together.
>
> NT Password is managed by different way; you can't do unixpass->ntpass
> and viceversa.
>
> You should do:
>
> # smbpasswd -e userid
>
> and userid will be enable.
>
> # smbpasswd -d userid
>
> and userid will be disable.
>
> regards.
>
>
> >
> >    Here is my account entry after the migration:
> > ======================================================
> > dn: uid=ksun,ou=Users,dc=ab,dc=com
> > objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
> > cn: ksun
> > sn: ksun
> > uid: ksun
> > uidNumber: 1870
> > gidNumber: 513
> > homeDirectory: /u/ksun
> > loginShell: /bin/tcsh
> > gecos: System User
> > description: System User
> > userPassword: {crypt}x
> > sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
> > sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
> > sambaLogonTime: 1090859130
> > sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
> > sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
> > sambaPwdLastSet: 1069686468
> > sambaAcctFlags: [NU         ]
> > =======================================================
> >
> >    It looks like the migration does create LM password and NT password.
> > However, I cannot log in to my account unless I change my password.
> > This is how my account look like after  "smbldap-passwd ksun" to the
> > original password:
> >
>
> --------------------------------------------------------------------------
--
> > -----
> > dn: uid=ksun,ou=Users,dc=ab,dc=com
> > objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
> > cn: ksun
> > sn: ksun
> > uid: ksun
> > uidNumber: 1870
> > gidNumber: 513
> > homeDirectory: /u/ksun
> > loginShell: /bin/tcsh
> > gecos: System User
> > description: System User
> > sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
> > sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
> > sambaLogonTime: 1090859130
> > sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
> > sambaAcctFlags: [U]
> > sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
> > sambaPwdLastSet: 1090946249
> > sambaPwdMustChange: 1094834249
> > userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q==
>
> --------------------------------------------------------------------------
--
> > ------
> >     Look at the difference of these two outputs:
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++
> > 12d11
> > < userPassword: {crypt}x
> > 16a16
> > > sambaAcctFlags: [U]
> > 18,19c18,20
> > < sambaPwdLastSet: 1069686468
> > < sambaAcctFlags: [NU         ]
> > ---
> > > sambaPwdLastSet: 1090946249
> > > sambaPwdMustChange: 1094834249
> > > userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q==
> > +++++++++++++++++++++++++++++++++++++++++++++++
> >    Surprisingly, the neither NT nor LM passwords changed. The different
is
> > the "userPassword", which I assume is the Posix account password, which
does
> > not exist in the old NT PDC at all! Of course the migration won't have
the
> > right password.
> >
> >     I do have "ldap passwd sync = Yes" in my smb.conf file, questions
are:
> >     1. Why samba/ldap authenticate using posix password instead of LM/NT
> > passwords?
> >     2. Does it synchronize the userPassord password to the NT/LM
password or
> > the otherway around?
> >     3. When does the synchronization happens or being triggered?
> >     4. Is there a way of  manually "copy" the LM/NT password to
userPassword
> > field?
> >
> >     The other difference is the change of the sambaAcctFlag: [U    ]
instead
> > of [NU  ]. I wonder if that changes anything.
> >
> >     Thanks!
> >
> > -- Kang
> >
> >
> >
>
> _______________________
> Umberto Zanatta
> linuxDidattica
>
> tel: +39 (335) 54 71 385
> email: umberto.z at tin.it
> web: http://linuxdidattica.org
> _______________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list