[Samba] Switching Ldap Servers
mcauble at lufkin.com
Fri May 12 18:02:29 GMT 2006
Jim Summers wrote:
> Mike Cauble wrote:
>> I recently did the same thing, here is what I found:
> Hi Mike,
> Thanks for the response. Here is what I discovered while testing
> this morning:
>> When I migrated my ldap, some machines couldn't connect even thought
>> they had an account on the domain. Here are some of the reasons
>> "sambaPwdLastSet" must have a valid value (ie. 1146061069) I can't
>> remember but all the date fields ( sambaPwdMustChange,
>> sambaPwdCanChange) may have to have a valid value
> I guess they are valid, they at least match what is in the old ldap.
Some of my "sambaPwdLastSet" fields had 0 as a value and couldn't login
when I gave them a date value that fixed the problem.
>> check your old ldap machine entries against the new ldap entries
>> sambaSID, sambaNTPassword must match, make sure sambaAcctFlags has a
> I have compared the values of the attributes and they match.
>> objectClass: sambaSamAccount - I have seen this discussed as
>> something that has changed you might want to check this
>> You might remove and re-add a machine then look at it's ldap entry
>> and compare with another machine account's old ldap entry.
> I did the remove and add process. There were three attributes that
> were updated:
> and the machine was joined and all is well.
> So I am now wondering which or all of these values could I use from
> the newly added machine entry and use to update the the rest of my
> machine entries? I do not look forward to having to do the remove/add
> process for each machine.
> From what I have read, the sambaNTPassword is the MD4() of the
> password? And I am guessing the password is the password of the admin
> that is used when joining the domain?
> Which may not be right, because when I look at the NTpassword for
> various working machines they are all different, but since I do not
> know how the MD4 works it may be the same password just a different
> crypt'd value based on some random seed.
> I am going to take the value of the NTpassword from my working machine
> entry and set it on a non-working entry and see if that machine will
> then attach to the domain without having to do the remove/add process.
> Do you think this might work? Thoughts / suggestions?
Each machine has or should have a unique password, so substituting
another machine password won't work.
What version of Samba are you running?
What ldap backend are/were you running?
Here is one thing I did.
I have a machine on my network called testmachine$
I created an ldif file like this one below.
This values came from the old ldap
This is the password my machine currently uses.
You will have to delete testmachine$ and then create a machine account
manually for testmachine$.
The sambaNTPassword and the number after the last "-" in the SID should
be different on the account you manually created.
After creating my machine account manually I now have for testmachine$:
and a sambaSID: S-1-5-21-2781067772-1786132867-2942848841-2343
I then did an ldapmodify using the above ldif file to change the machine
password and the SID to one that testmachine$ expects.
Make sure sambaPwdLastSet has a value other than "0" and sambaAcctFlags
has a value of "W"
You should be able to log in.
> Thanks again,
More information about the samba