[Samba] Switching Ldap Servers

Jim Summers jsummers at cs.ou.edu
Wed May 10 14:16:46 GMT 2006

Mike Cauble wrote:
> Jim,
> I recently did the same thing, here is what I found:

Hi Mike,

Thanks for the response.  Here is what I discovered  while testing this morning:
> When I migrated my ldap, some machines couldn't connect even thought 
> they had an account on the domain. Here are some of the reasons
> "sambaPwdLastSet"  must have a valid value (ie. 1146061069) I can't 
> remember but all the date fields ( sambaPwdMustChange, 
> sambaPwdCanChange) may have to have a valid value

I guess they are valid, they at least match what is in the old ldap.

> check your old ldap machine entries against the new ldap entries
> sambaSID, sambaNTPassword must match, make sure sambaAcctFlags  has a [W]

I have compared the values of the attributes and they match.

> objectClass: sambaSamAccount - I have seen this discussed as something 
> that has changed you might want to check this
> You might remove and re-add a machine then look at it's ldap entry and 
> compare with another machine account's old ldap entry.

I did the remove and add process.  There were three attributes that were updated:


and the machine was joined and all is well.

So I am now wondering which or all of these values could I use from the newly 
added machine entry and use to update the the rest of my machine entries? I do 
not look forward to having to do the remove/add process for each machine.

 From what I have read, the sambaNTPassword is the MD4() of the password?  And 
I am guessing the password is the password of the admin that is used when 
joining the domain?

Which may not be right, because when I look at the NTpassword for various 
working machines they are all different, but since I do not know how the MD4 
works it may be the same password just a different crypt'd value based on some 
random seed.

I am going to take the value of the NTpassword from my working machine entry 
and set it on a non-working entry and see if that machine will then attach to 
the domain without having to do the remove/add process.

Do you think this might work? Thoughts / suggestions?

Thanks again,

Jim Summers
School of Computer Science-University of Oklahoma

More information about the samba mailing list