[Samba] Samba/LDAP/PDC Questions

Kang Sun ksun at ABINITIO.COM
Tue Jul 27 21:01:15 GMT 2004 

Hello Eric,
    I just want to make sure we are on the same page.
    After vampiring, I got all the user accounts, computer accounts, 
groups, and membership created correctly.
    For somereason, the login is disabled. Once I do "smbpasswd -e 
<userid>", I am able to login to that account with the right password. So 
the NT password migratted OK.
    smbPassword field only contains '{Crypt}x' but once I copied the 
hashed password from NIS map to that field prefixed with {Crypt}, I 
can also login to the Unix account. 
   All together it means that I have ways to make sure the user 
authentication will work fine with Windows and Unix login. But at what 
point and in what way the password synchronization work and in what 
direction?
   The only remaining obatacle is that the computer authentication failed. 
The comptuer cannot loginto the doamin unless I rejoin it to the domain. I 
think this is where you failed also.
  I wonder if there is anyway to get all the computer account hash in text 
format from the original NT PDC and just write script to stick the hash to 
the corresponding smbNTPassword field, just like what I did with the 
userPassword field. Any suggestion.
  Finally, I did get some kind of smbNTPassword during vampiring, does it 
at least look right? Is there anyway I can compare it to the original on 
the NT Server? Here is my machine account looks like:

  Thanks!

--- Kang Sun

dn: uid=KSUN$,ou=People,dc=ab,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: KSUN$
sn: KSUN$
uid: KSUN$
uidNumber: 1801
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
sambaSID: S-1-5-21-72881033-379349262-1855928443-4737
displayName: KSUN$
sambaLogonTime: 1090863161
sambaNTPassword: BCE2D22F8B6638F72008CA16CDEA1F4D
sambaPwdLastSet: 1089841247
sambaAcctFlags: [W          ]
gidNumber: 1000
sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-515


  
 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Attempting vampire here when everything else works results in user
accounts being created in the LDAP directory (and with a slight ugly
hackish modification to the idealx smbldap-useradd script, posix
accounts being created) and NTLM password hashes being set in the LDAP
tree, and computer accounts being created *but* here is the catch, the
NTLM password hashes for computer accounts are not created.

So if we think of it as a four step process;

1. Create user accounts *OK*
2. Set user account password hashes *OK*
3. Create Machine accounts *OK*
4. Set Machine account password hashes *FAIL*

Of course I'm not bothering to mention the other stuff that it does
cause it's all a bit of black magic to me, but you get the general idea,
it creates user groups as well and associates the appropriate accounts
with the appropriate groups and handles the Unix UID / GID mapping to
the NT equivalent security information.

I'm trying to get more information on the entire process to provide
debug logs to the samba team et al, but I've just been flat out on other
stuff in the meantime which unfortunately has a higher priority than
this at the moment, but I'll endeavour to get the diagnostic info asap,
if someone else wanted to do it before me though, I assume the
interesting stuff would be;

smbd -d 10 -i > smbd.log 2>&1

tcpdump packet capture of traffic between NT PDC and Linux vampire process

strace -f net rpc vampire -S pdc -U administrator%password > vampire.log
2>&1

And try to make sure you're not broadcasting your password hashes in
potentially public bug logs. ^^

What I can tell you from looking at the process so far, is that the NT
PDC is *definitely* providing machine account password hashes, it just
appears that whatever samba should be doing with them, it is not.

Best of luck

Regards

Eric J Bennett



Paul Gienger wrote:
| I'm not at all experienced with the vampire command, but I believe it is
| supposed to bring passwords over.  Perhaps someone can interject here
| who does know what they're talking about???
|
| (note: bringing back on list from an accidental, i suspect, pm)
|
| Kang Sun wrote:
|
|>
|> Hello Paul,
|>
|>         I have questions on migration. Some other people like Eric
|> Bennet and Mike Brodbelt posted the similar questions. But I cannot
|> find a definite answer to this question: would vampiring using
|> samba/ldap/smbldap-tools actually migrates passwords at all?
|>
|>         If the "add user/machine script" from smb.conf is the only
|> tool vampiring process is calling, it certainly won't create password.
|> Below are the conversation between me and Mike. I hope you can help us.
|>
|> -- Kang
|>
|> Kang Sun wrote:
|> > Hello Mike,
|> >
|> > I did similar things and have similar problems.
|> > I looked at the ldap database, the migration did nothing but get all
|> the
|> > names of users and machines.
|> > If the smbldap-* scripts are the only things vampire process is
|> calling, I
|> > don't see how would it would get  anything else.
|>
|> Agreed, although when migrating with a tdbsam backend, the vampire
|> process will populate the tdbsam with NT passwords and suchlike, but
|> also runs the useradd scripts to add the posix users, so I thought that
|> there may be some other data that Samba puts into LDAP directly, not 
via
|> invoking the scripts.
|>
|> The documentation from John Terpstra's book (available online at
|> http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828
)
|> suggests that the process should work with an LDAP backend, but I'm
|> currently at a loss to see howm and I'm unable to replicate this, even
|> on a test network, with various versions of the Idealx smbldap-tools. 
It
|> doesn't appear to work as advertised at the moment.
|>
|> > After vampiring,
|> >
|> > 1. All the computer accounts and user accounts (posixAccount as
|> well) are
|> > created just like being created by by smbldap-useradd, with the 
default
|> > parameters as defined in the smbldap.conf or smbldap_config.pm, eg,
|> > profiles, logon scripts, etc, user name, etc.
|>
|> Yes, this seems to work when run from the command line. Vampiring seems
|> to throw up some errors that I've not tracked down yet though.
|>
|> > 2. Users lost its domain membership. Every user accounts are now
|> belonging
|> > to "Domain Users" group. No one in "Domain Admins" group except
|> > Administrator.
|> >
|> > The migration process must have done more than just calling these
|> > smbldap-tools scripts, but I just don't see the effect.
|> >
|> > What do you see if you do
|> > smbldap-usershow <userid> or <machinename>$  ?
|>
|> # smbldap-usershow detritus
|> dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk
|> objectClass: 
top,inetOrgPerson,posixAccount,shadowAccount,sambaSAMAccount
|> cn: rwind
|> sn: rwind
|> uid: rwind
|> uidNumber: 1006
|> gidNumber: 513
|> homeDirectory: /home/rwind
|> loginShell: /bin/bash
|> gecos: System User
|> description: System User
|> userPassword: {crypt}x
|> sambaPwdLastSet: 0
|> sambaLogonTime: 0
|> sambaLogoffTime: 2147483647
|> sambaKickoffTime: 2147483647
|> sambaPwdCanChange: 0
|> sambaPwdMustChange: 2147483647
|> displayName: System User
|> sambaAcctFlags: [UX]
|> sambaSID: S-1-5-21-2704678572-2069052080-1039482078-3012
|> sambaLMPassword: XXX
|> sambaPrimaryGroupSID: S-1-5-21-2704678572-2069052080-1039482078-513
|> sambaProfilePath: \\TALITHA\profiles\rwind
|> sambaHomePath: \\TALITHA\home\rwind
|> sambaHomeDrive: M:
|> sambaNTPassword: XXX
|>
|> # smbldap-usershow "quirm$"
|> dn: uid=quirm$,ou=Computers,dc=acu,dc=ac,dc=uk
|> objectClass: top,inetOrgPerson,posixAccount
|> cn: quirm$
|> sn: quirm$
|> uid: quirm$
|> uidNumber: 1013
|> gidNumber: 515
|> homeDirectory: /dev/null
|> loginShell: /bin/false
|> description: Computer
|>
|> > or smbldap-groupshow <groupid>  ?
|>
|> # smbldap-groupshow "Domain Admins"
|> dn: cn=Domain Admins,ou=Groups,dc=acu,dc=ac,dc=uk
|> objectClass: posixGroup,sambaGroupMapping
|> gidNumber: 512
|> cn: Domain Admins
|> memberUid: Administrator
|> description: Netbios Domain Administrators
|> sambaSID: S-1-5-21-2704678572-2069052080-1039482078-512
|> sambaGroupType: 2
|> displayName: Domain Admins
|>
|>
|> So all that seems to have worked. It's just that some of the 
information
|> hasn't migrated across, and in the context of a transparent migration
|> off the NT4 server, the information that hasn't propagated is a
|> showstopper. Despite reading all the docs I can lay hands on, I still
|> can't see why, and the vampire process is not transparent to me - the
|> docs just assume it'll work completely or not at all - there's nothing
|> to tell one how to try and troubleshoot it if it half works, which is
|> what's happening for me.
|>
|> Mike.
|>
|> ForwardSourceID:NT00009A52
|> "Eric J Bennett" <eric.bennett at itouch.com.au> wrote in message
|> news:<40FB1140.6020103 at itouch.com.au>...
|> > Hi all,
|> >
|> > I'm really lost here, I do net rpc vampire and it works perfectly for
|> > user accounts (sets NTLM pass etc) and creates machine accounts, but
|> > fails to allocate their password hashes, I think it's calling the
|> > smbldap-useradd utility to add accounts for machines, but I don't see
|> > why this would make the hashes transfer for users but not machines?
|> >
|> > Any help much appreciated.
|> >
|> > Regards
|> > Eric Bennett
|> >
|> > --
|> > To unsubscribe from this list go to the following URL and read the
|> > instructions:  http://lists.samba.org/mailman/listinfo/samba
|> >
|> ForwardSourceID:NT00009A72
|

ForwardSourceID:NT00009AFA

More information about the samba mailing list