[Samba] Issue providing seamless migrtion (3.0.24 to 3.5.6) - sambaNTPassword mystery

Nathan Mahu nmahu at cyanide-studio.com
Mon May 2 03:50:00 MDT 2011


Hello everyone,

I am operating a migration of samba from 3.0.24 (mysql passdb backend) 
to 3.5.6 (openldap passdb), samba working as a domain controller (PDC) 
and file share. The main challenge is to provide a seamless migration 
for users.
For this new version, I am using smbldap-tools 0.9.6, nss_ldap, openldap 
2.4. Everything run on FreeBSD 8.2.

To get used to samba, I have managed to make samba 3.5 work as a new 
domain, computers joining it, etc... But since I want a seamless 
migration, I now try to provide enough information to samba 3.5 to auth 
users like the old version.

Currently, I can't achieve to have machine accounts which can be on the 
new domain with the samba root login, without joining the domain through 
windows manual procedure.
The new domain have the same "netbios name", "workgroup", domain SID, 
local SID. And now the challenge is to fill accounts (users but first 
workstation/machine) in ldap.
I have copy and paste every *.tdb file from the old samba to the new : 
/var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+ smbpasswd file).
Moreover, to test everything, I have a computer which have a ethernet 
interface toward the old working samba, and another one toward the new 
domain. When I try to switch from the old to the new samba, I shutdown 
the right interface, unlog and try to log with the root login of the new 
samba (I always wait few minutes in order to have the new pdc "recognized").
As I read that someone is able to upgrade his samba seamlessly by 
shutting down computers & samba (old & new), then starting new samba 
then computers, I have tried each time this procedure. However, I don't 
believe it is the problem : logs are the same if do the "shutdown/start" 
procedure or the simple "unlog/log" procedure.

I put at the end of this mail ldap entries for each step made. So first, 
is the reference of a working machine account (achieved by joining 
manually the "new" domain) [1].

Here are steps I have made:

1. I'm adding machine account using:

#smbldap-useradd -W machine_account$

Then I provide my machine account the same SID in ldap using:

#pdbedit machine_account$ -U S-1-5-21-720590779-4203916555-4014520812-11343

The result is [2], and I can't log with it. Logs tell me something like 
"Workstation machine_account$ doesn't have a password"... Indeed, no 
sambaNTPassword here !

2. I want to manually provide sambaNTPassword. Here, no samba command 
(pdbedit, smpasswd) provides me a way to do it, the only way I found is 
to adding it directly into LDAP (ldapadd or mod,...) [3].

As we could pedict, it doesn't work (log as root). Since 
"sambaNTPassword" comes during the manual join procedure, it must be 
some kind of exchange between the workstation and the PDC.

3. The second idea is to import the old passdb backend into the new 
(ldap) using:

#pdbedit -e tdbsam:export.tdb
on the old PDC, and then on the new PDC:

#pdbedit -i tdbsam:export.tdb

Everything works fine for import/export, giving me [4]. Trying to log in 
with this fails : "Failed to find UNIX account for thorin$". If I add 
manually fields needed for a UNIX account (objectClass: posixAccount, 
etc...), it fails on a "credentials check fails" (same as step 1 when 
sambaNTPassword were missing).

CONCLUSION:
In my opinion, it appears that sambaNTPassword is needed for workstation 
authentification and can be provided only by joining the domain manually 
(Computer -> Manage -> etc...).

Ideas are seriously running out, I find very few stuff about 
sambaNTPassword and particularly about when (during the joining process 
?), where (is it stored on workstation ? in a samba file ? only in the 
passdb backend ?) and why (security reasons I guess, avoiding name 
spoofing etc...? Not a crucial question).
Any help would be welcome !


REFERENCES LDAP ENTRIES:

[1] Working machine account:
-------------------------------------------------------------------------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
cn: thorin$
uid: thorin$
uidNumber: 1004
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
displayName: THORIN$
sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
sambaPwdLastSet: 1304080571
sambaAcctFlags: [W          ]
-------------------------------------------------------------------------------------------

[2] Machine account from command #smbldap-useradd -W, with a corrected SID:
-------------------------------------------------------------------------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
cn: thorin$
uid: thorin$
uidNumber: 1002
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
objectClass: posixAccount
objectClass: account
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1304078541
sambaAcctFlags: [W          ]
sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
displayName: thorin$
sambaDomainName: DOMAIN
-------------------------------------------------------------------------------------------

[3] Same as above with a sambaNTPassword field entered through LDIF:
-------------------------------------------------------------------------------------------
// same as above
sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
-------------------------------------------------------------------------------------------

[4] Entry from import:
-------------------------------------------------------------------------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
uid: thorin$

sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
sambaLogonScript: netlogon.bat
sambaLogonTime: 0
sambaLogoffTime: 0
sambaKickoffTime: 0
sambaPwdCanChange: 1303228739
sambaPwdMustChange: 2147483647
sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
sambaPasswordHistory: 
0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1303228739
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
sambaAcctFlags: [W          ]
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0

objectClass: sambaSamAccount
objectClass: account
-------------------------------------------------------------------------------------------



More information about the samba mailing list