[Samba] Re: Machine accounts by migrating from smbpasswd to ldapsam
Tomas Lohr
lohr at moser-glass.com
Mon Nov 8 13:24:10 GMT 2004
Hi,
after a few days I found the solution. The problem was in bad SID
numbers.
The Machine Account in the /etc/smbpasswd
vs3$:501:F74786067472.....3E527018D189760:382721F51C7C.....C9C1E9A81BB
145:[W ]:LCT-416E659B:
has to be transformed into LDAP directory with the same number:
sambaSID=S-1-5-21-1065381148-2072401369-4150041673-501
uidNumber=501
Similar with SID-numbers by User Accounts:
rid='2*uidNumber+sambaAlgorithmicRidBase'
sambaSID and uidNumber must be changed according to this formula.
T. Lohr
On 1 Nov 2004 at 12:15, samba at lists.samba.org wrote:
> Hi all,
>
> I'm wondering what about machine accounts (WinXP) by migrating from
> Samba 2.2.8 with authentication backend /etc/smbpasswd to Samba 3.0.4
> with ldapsam.
>
> Is it possible just to take NT hash from smbpasswd and paste it to
> ldap record as sambaNTPassword?
>
> I'm not able to login from machine vs3 to new domain. My
> configuration files and log files follow. The Samba-SID is the same on
> the old server and on the new server.
>
> How to transport machine accounts from the old backend to the new
> without reconnecting machines to the new domain? Do you know where is
> the problem?
>
> Thanx for your help
> Tomas Lohr
>
>
>
> The record from /etc/smbpasswd looks like:
>
> vs3$:501:F74786067472.....3E527018D189760:382721F51C7C.....C9C1E9A81B5
> B145:[W ]:LCT-416E659B:
>
> The specific record from ldap looks like:
>
> hp3:/ # ldapsearch -x -D "cn=Manager,dc=moser-glass,dc=com" -W -b
> 'dc=moser-glass,dc=com' 'cn=vs3$'
>
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=moser-glass,dc=com> with scope sub
> # filter: cn=vs3$
> # requesting: ALL
> #
>
> # VS3$, Computers, moser-glass.com
> dn: uid=VS3$,ou=Computers,dc=moser-glass,dc=com
> gidNumber: 513
> homeDirectory: /dev/null
> loginShell: /bin/false
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: sambaSamAccount
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 0
> sambaSID: S-1-5-21-1065381148-2072401369-4150041673-3180
> sambaPrimaryGroupSID: S-1-5-21-1065381148-2072401369-4150041673-553
> uidNumber: 501 sambaAcctFlags: [W ] cn: vs3$ sn: vs3$ uid:
> vs3$ description: Computer VS3 sambaNTPassword:
> 382721F51C7C.....C9C1E9A81B5B145 sambaLMPassword:
> F74786067472.....3E527018D189760
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> The samba log /var/log/samba/log.vs3 writes:
>
> [2004/10/29 18:09:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
> init_sam_from_ldap: Entry found for user: vs3$
> [2004/10/29 18:09:47, 0] rpc_server/srv_netlog_nt.c:get_md4pw(218)
> get_md4pw: Workstation VS3$: no account in domain
> [2004/10/29 18:09:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
> init_sam_from_ldap: Entry found for user: vs3$
> [2004/10/29 18:09:47, 0] rpc_server/srv_netlog_nt.c:get_md4pw(218)
> get_md4pw: Workstation VS3$: no account in domain
> [2004/10/29 18:09:58, 2] smbd/server.c:exit_server(568)
> Closing connections
>
>
> Important part of new /etc/samba/smb.conf:
>
> [global]
> server string = hp3
> netbios name = HP3
> workgroup = MOSERAS
> domain master = Yes
> preferred master = Yes
> domain logons = Yes
> dos charset = 852
> unix charset = ISO-8859-2
> os level = 99
>
> time server = Yes
> wins support = yes
> name resolve order = wins lmhosts bcast host
> max log size = 1000
> log file = /var/log/samba/log.%m
> log level = 2
> syslog = 0
> lanman auth = Yes
> map acl inherit = Yes
> null passwords = No
> interfaces = eth0
> encrypt passwords = true
> winbind use default domain = Yes
> passdb backend = ldapsam:ldap://localhost
> min password length = 5
>
> ldap admin dn = "cn=Manager,dc=moser-glass,dc=com"
> ldap delete dn = No
> ldap suffix = dc=moser-glass,dc=com
> ldap machine suffix = ou=Computers
> ldap group suffix = ou=Groups
> ldap user suffix = ou=People
> ldap passwd sync = Yes
> ldap idmap suffix = ou=Idmap
> pam password change = No
> idmap gid = 10000-20000
> idmap uid = 10000-20000
>
>
>
More information about the samba
mailing list