[Samba] Bad passwords from Vampire / NT migration

Cooper S. Blake the_analogkid at yahoo.com
Wed Oct 15 13:48:49 GMT 2008 

I just did a clean install of Fedora 9 onto a Pentium 4 machine.  It is actually running SELinux enforcing, but I haven't found any errors related to that so far.  It is running Samba 3.2.3-0.20. I am trying to migrate a Windows NT 4.0 domain with about 30 users and 30 computers onto a pure Samba setup, using Samba as the PDC and tdbsam.



I have read the HOWTO guide extensively, and everything seems to work in the beginning.  My smb.conf is shown below in the BDC configuration.  I started with no tdbsam database, so I started by creating the root account using pdbedit.  I join the domain using net rpc join -S PDC.  No problem.  I setup the group maps using by creating a script, as recommended.



Then I run the vampire command:

sudo net rpc vampire -S cls01



At this point I noticed it does not need a password, though the documentation says to use -U administrator; I assume it's relying on the machine trust account and its BDC membership.  It appears to create all user, workstation, and group accounts properly.  The only errors are pertaining to the inability to add groups with spaces:



[2008/10/13 23:41:26,  0] groupdb/mapping.c:smb_create_group(215)

  smb_create_group: Running the command `/usr/sbin/groupadd "Account Operators"' gave 3



This is okay because I manually created unix groups and mapped them.  Now the problem is that apparently all the passwords are coming over incorrectly.  If I attempt to promote Linux to PDC and shutdown the old server, workstations can't login, and Samba logs show complaints about a machine trust account needing a password:



[2008/10/13 22:57:04,  0] rpc_server/srv_netlog_nt.c:get_md4pw(357)

  get_md4pw: Workstation GRADE7-8$: account does not have a password

[2008/10/13 22:57:04,  0] rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502)

  _netr_ServerAuthenticate2: failed to get machine password for account GRADE7-8$: NT_STATUS_LOGON_FAILURE



I started looking at all the password hashes using pdbedit -Lw, and found the following:



* There are no LanMan password hashes (all set to XXXX...)

* All machine accounts have neither LanMan nor NT password hashes:

WS6$:576:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[W          ]:LCT-48D8EC0E:

* The NT hashes for the user accounts appear to be incorrect.



Otherwise everything looks right.  The account flags look to be correct, and they all appear under the CLS domain.  The Logon time field looks correct, though the password last set field shows the time of the vampire run.  Group membership is correct when using net rpc user info.  When I test the logins by using smbclient, in PDC mode, none of the existing passwords work, except the root password I created before the vampire.



The weird part is that I ran the net rpc samdump command, and its output all appears to be correct!  Almost all accounts besides workstations have LanMan password hashes, and I went as far as to verify the NT hashes.  I did this by creating a new user (pdbedit -a) and setting the password to what it is on the NT DC.  The NT hash is the same as what appears in the samdump output.  However, all NT hashes are different from what is stored in the tdbsam after vampire.


My conclusion is that the samdump appears to be doings its job, but somehow the tdbsam is being written incorrectly with respect to password hashes.  It seems as though the tdbsam database version is not in sync with the vampire tool, though it's odd that there aren't any visible error messages.  Shouldn't the LanMan / NT hashes be the same beteween pdbedit and samdump?

thanks,
Cooper



[global]

        workgroup = CLS

        security = user

        passdb backend = tdbsam

        domain master = no

        wins support = no

        domain logons = yes

        local master = yes

        preferred master = yes

        os level = 33



        logon path =

        logon home = 

        add user script = /usr/sbin/useradd "%u" -n -g users -s /bin/false

        add user to group script = /usr/sbin/usermod -aG "%g" "%u"

        add group script = /usr/sbin/groupadd "%g"

        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"

        delete user script = /usr/sbin/userdel "%u"

        delete group script = /usr/sbin/groupdel "%g"

        log file = /var/log/samba/log.%m

        max log size = 50



[homes]

        comment = Home Directories

        browseable = no

        writable = yes



[netlogon]

        comment = Network Logon Service

        path = /var/lib/samba/netlogon

        read only = yes

More information about the samba mailing list