[Samba] Issue providing seamless migrtion (3.0.24 to 3.5.6) - sambaNTPassword mystery

Nathan Mahu nmahu at cyanide-studio.com
Thu May 5 06:31:37 MDT 2011 

Still no idea ?
Anyone knows about sambaNTPasword ?
No one have ever experienced issues doing a seamless migration ?


Le 02/05/2011 11:50, Nathan Mahu a écrit :
> Hello everyone,
>
> I am operating a migration of samba from 3.0.24 (mysql passdb backend) 
> to 3.5.6 (openldap passdb), samba working as a domain controller (PDC) 
> and file share. The main challenge is to provide a seamless migration 
> for users.
> For this new version, I am using smbldap-tools 0.9.6, nss_ldap, 
> openldap 2.4. Everything run on FreeBSD 8.2.
>
> To get used to samba, I have managed to make samba 3.5 work as a new 
> domain, computers joining it, etc... But since I want a seamless 
> migration, I now try to provide enough information to samba 3.5 to 
> auth users like the old version.
>
> Currently, I can't achieve to have machine accounts which can be on 
> the new domain with the samba root login, without joining the domain 
> through windows manual procedure.
> The new domain have the same "netbios name", "workgroup", domain SID, 
> local SID. And now the challenge is to fill accounts (users but first 
> workstation/machine) in ldap.
> I have copy and paste every *.tdb file from the old samba to the new : 
> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+ smbpasswd file).
> Moreover, to test everything, I have a computer which have a ethernet 
> interface toward the old working samba, and another one toward the new 
> domain. When I try to switch from the old to the new samba, I shutdown 
> the right interface, unlog and try to log with the root login of the 
> new samba (I always wait few minutes in order to have the new pdc 
> "recognized").
> As I read that someone is able to upgrade his samba seamlessly by 
> shutting down computers & samba (old & new), then starting new samba 
> then computers, I have tried each time this procedure. However, I 
> don't believe it is the problem : logs are the same if do the 
> "shutdown/start" procedure or the simple "unlog/log" procedure.
>
> I put at the end of this mail ldap entries for each step made. So 
> first, is the reference of a working machine account (achieved by 
> joining manually the "new" domain) [1].
>
> Here are steps I have made:
>
> 1. I'm adding machine account using:
>
> #smbldap-useradd -W machine_account$
>
> Then I provide my machine account the same SID in ldap using:
>
> #pdbedit machine_account$ -U 
> S-1-5-21-720590779-4203916555-4014520812-11343
>
> The result is [2], and I can't log with it. Logs tell me something 
> like "Workstation machine_account$ doesn't have a password"... Indeed, 
> no sambaNTPassword here !
>
> 2. I want to manually provide sambaNTPassword. Here, no samba command 
> (pdbedit, smpasswd) provides me a way to do it, the only way I found 
> is to adding it directly into LDAP (ldapadd or mod,...) [3].
>
> As we could pedict, it doesn't work (log as root). Since 
> "sambaNTPassword" comes during the manual join procedure, it must be 
> some kind of exchange between the workstation and the PDC.
>
> 3. The second idea is to import the old passdb backend into the new 
> (ldap) using:
>
> #pdbedit -e tdbsam:export.tdb
> on the old PDC, and then on the new PDC:
>
> #pdbedit -i tdbsam:export.tdb
>
> Everything works fine for import/export, giving me [4]. Trying to log 
> in with this fails : "Failed to find UNIX account for thorin$". If I 
> add manually fields needed for a UNIX account (objectClass: 
> posixAccount, etc...), it fails on a "credentials check fails" (same 
> as step 1 when sambaNTPassword were missing).
>
> CONCLUSION:
> In my opinion, it appears that sambaNTPassword is needed for 
> workstation authentification and can be provided only by joining the 
> domain manually (Computer -> Manage -> etc...).
>
> Ideas are seriously running out, I find very few stuff about 
> sambaNTPassword and particularly about when (during the joining 
> process ?), where (is it stored on workstation ? in a samba file ? 
> only in the passdb backend ?) and why (security reasons I guess, 
> avoiding name spoofing etc...? Not a crucial question).
> Any help would be welcome !
>
>
> REFERENCES LDAP ENTRIES:
>
> [1] Working machine account:
> ------------------------------------------------------------------------------------------- 
>
> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> objectClass: sambaSamAccount
> cn: thorin$
> uid: thorin$
> uidNumber: 1004
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
> displayName: THORIN$
> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
> sambaPwdLastSet: 1304080571
> sambaAcctFlags: [W          ]
> ------------------------------------------------------------------------------------------- 
>
>
> [2] Machine account from command #smbldap-useradd -W, with a corrected 
> SID:
> ------------------------------------------------------------------------------------------- 
>
> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
> cn: thorin$
> uid: thorin$
> uidNumber: 1002
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> objectClass: posixAccount
> objectClass: account
> objectClass: sambaSamAccount
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaPwdLastSet: 1304078541
> sambaAcctFlags: [W          ]
> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
> displayName: thorin$
> sambaDomainName: DOMAIN
> ------------------------------------------------------------------------------------------- 
>
>
> [3] Same as above with a sambaNTPassword field entered through LDIF:
> ------------------------------------------------------------------------------------------- 
>
> // same as above
> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
> ------------------------------------------------------------------------------------------- 
>
>
> [4] Entry from import:
> ------------------------------------------------------------------------------------------- 
>
> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
> uid: thorin$
>
> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
> sambaLogonScript: netlogon.bat
> sambaLogonTime: 0
> sambaLogoffTime: 0
> sambaKickoffTime: 0
> sambaPwdCanChange: 1303228739
> sambaPwdMustChange: 2147483647
> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
> sambaPasswordHistory: 
> 0000000000000000000000000000000000000000000000000000000000000000
> sambaPwdLastSet: 1303228739
> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> sambaAcctFlags: [W          ]
> sambaBadPasswordCount: 0
> sambaBadPasswordTime: 0
>
> objectClass: sambaSamAccount
> objectClass: account
> ------------------------------------------------------------------------------------------- 
>
>

More information about the samba mailing list