[Samba] Switching Ldap Servers

Mike Cauble mcauble at lufkin.com
Fri May 12 18:02:29 GMT 2006

Jim Summers wrote:

> Mike Cauble wrote:
>> Jim,
>> I recently did the same thing, here is what I found:
> Hi Mike,
> Thanks for the response.  Here is what I discovered  while testing 
> this morning:
>> When I migrated my ldap, some machines couldn't connect even thought 
>> they had an account on the domain. Here are some of the reasons
>> "sambaPwdLastSet"  must have a valid value (ie. 1146061069) I can't 
>> remember but all the date fields ( sambaPwdMustChange, 
>> sambaPwdCanChange) may have to have a valid value
> I guess they are valid, they at least match what is in the old ldap.

Some of my "sambaPwdLastSet" fields had 0 as a value and couldn't login 
when I gave them a date value that fixed the problem.

>> check your old ldap machine entries against the new ldap entries
>> sambaSID, sambaNTPassword must match, make sure sambaAcctFlags  has a 
>> [W]
> I have compared the values of the attributes and they match.
>> objectClass: sambaSamAccount - I have seen this discussed as 
>> something that has changed you might want to check this
>> You might remove and re-add a machine then look at it's ldap entry 
>> and compare with another machine account's old ldap entry.
> I did the remove and add process.  There were three attributes that 
> were updated:
> sambaPwdCanChange,
> sambaPwdLastSet,
> sambaNTPassword
> and the machine was joined and all is well.
> So I am now wondering which or all of these values could I use from 
> the newly added machine entry and use to update the the rest of my 
> machine entries? I do not look forward to having to do the remove/add 
> process for each machine.
> From what I have read, the sambaNTPassword is the MD4() of the 
> password?  And I am guessing the password is the password of the admin 
> that is used when joining the domain?
> Which may not be right, because when I look at the NTpassword for 
> various working machines they are all different, but since I do not 
> know how the MD4 works it may be the same password just a different 
> crypt'd value based on some random seed.
> I am going to take the value of the NTpassword from my working machine 
> entry and set it on a non-working entry and see if that machine will 
> then attach to the domain without having to do the remove/add process.
> Do you think this might work? Thoughts / suggestions?

Each machine has or should have a unique password, so substituting 
another machine password won't work.

What version of Samba are you running?
What ldap backend are/were you running?

Here is one thing I did.

I have a machine on my network called testmachine$
I created an ldif file like this one below.
This values came from the old ldap

dn: uid=testmachine$,ou=Computers,dc=lufkin,dc=com
changetype: modify
replace: sambaSID
sambaSID: S-1-5-21-2781067772-1786132867-2942848841-15320

dn: uid=testmachine$,ou=Computers,dc=xyzcorp,dc=com
changetype: modify
replace: sambaNTPassword
sambaNTPassword: F6A32EA7F65BBD4199F2C33A3AF2DD66
This is the password my machine currently uses.

You will have to delete testmachine$ and then create a machine account 
manually for testmachine$.
The sambaNTPassword and the number after the last "-" in the SID should 
be different on the account you manually created.
After creating my machine account manually I now have for testmachine$:
sambaNTPassword: 9B54520D9DD7BEE9A4A3DEDE41412AEB
and a sambaSID: S-1-5-21-2781067772-1786132867-2942848841-2343

I then did an ldapmodify using the above ldif file to change the machine 
password and the SID to one that testmachine$ expects.

Make sure sambaPwdLastSet has a value other than "0" and sambaAcctFlags 
has a value of "W"

You should be able to log in.


> Thanks again,

More information about the samba mailing list