[Samba] Re: Bad passwords from Vampire / NT migration
Cooper S. Blake
the_analogkid at yahoo.com
Wed Oct 22 14:21:13 GMT 2008
> Can anyone tell me why net rpc samdump gets the correct LM and NT
> password hashes, but net rpc vampire gets incorrect hashes? What's
> funny is that vampire seems to produce consistent results, but
> they're consistently wrong.
> Is it possible that the NT PDC doesn't trust the Samba server so
> it gives it bad hashes?
I have a few more comments.
1. net rpc vampire does not set the machine or domain SID. This has
to be done manually using net setlocalsid and net setdomainsid.
Calling net rpc getsid appears to work but does not change anything.
I have seen multiple other people with this same problem going back
a couple years, so it appears to be a longstanding bug.
2. I checked the event log on the Windows NT PDC. It's interesting
because each time I run the vampire command, it logs 2 or 5 5722
events in a row (the error is that the session setup from my samba
BDC failed to authenticate with the error Access is denied.) This
error is indicating an invalid machine password from Samba.
Then immediately after the error messages I get two 5713 events,
indicating that the full synchronization request from the BDC
completed successfully. The first event refers to over 100 objects
and the second event refers to a much smaller number. So despite
the 5722 error, everything synchronizes.
3. The only evidence of any problem from the vampire command is the
events logged on the PDC, and the invalid passwords. I tried
deleting the trust account on the PDC and rejoining several times,
with Samba on, off, and nmbd on and off. The result is always the
same. The bad password hashes are always the same for each account.
If I change a password on the PDC then run vampire again, the NT
hash changes on the Samba box. It just seems like the NT hash is
somehow being scrambled, but in a consistent way.
4. It does not seem to matter if I create the BDC trust account on
the PDC using Server Manager, or whether I just join the domain
using net rpc join. The former step seems unncessary.
5. Here is the stderr output from the vampire command:
[2008/10/20 21:08:23, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1117)
I did also save the debug level 10 output, but it really doesn't look
to contain anything interesting.
More information about the samba