[Samba] Issue providing seamless migrtion (3.0.24 to 3.5.6) - sambaNTPassword mystery

L.P.H. van Belle belle at bazuin.nl
Thu May 5 06:38:11 MDT 2011


Dit you update your samba.schema in ldap and did you reindex you ldap database ? 
 
Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: nmahu at cyanide-studio.com 
>[mailto:samba-bounces at lists.samba.org] Namens Nathan Mahu
>Verzonden: 2011-05-05 14:32
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Issue providing seamless migrtion 
>(3.0.24 to 3.5.6) - sambaNTPassword mystery
>
>Still no idea ?
>Anyone knows about sambaNTPasword ?
>No one have ever experienced issues doing a seamless migration ?
>
>
>Le 02/05/2011 11:50, Nathan Mahu a écrit :
>> Hello everyone,
>>
>> I am operating a migration of samba from 3.0.24 (mysql 
>passdb backend) 
>> to 3.5.6 (openldap passdb), samba working as a domain 
>controller (PDC) 
>> and file share. The main challenge is to provide a seamless 
>migration 
>> for users.
>> For this new version, I am using smbldap-tools 0.9.6, nss_ldap, 
>> openldap 2.4. Everything run on FreeBSD 8.2.
>>
>> To get used to samba, I have managed to make samba 3.5 work as a new 
>> domain, computers joining it, etc... But since I want a seamless 
>> migration, I now try to provide enough information to samba 3.5 to 
>> auth users like the old version.
>>
>> Currently, I can't achieve to have machine accounts which can be on 
>> the new domain with the samba root login, without joining the domain 
>> through windows manual procedure.
>> The new domain have the same "netbios name", "workgroup", 
>domain SID, 
>> local SID. And now the challenge is to fill accounts (users 
>but first 
>> workstation/machine) in ldap.
>> I have copy and paste every *.tdb file from the old samba to 
>the new : 
>> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+ 
>smbpasswd file).
>> Moreover, to test everything, I have a computer which have a 
>ethernet 
>> interface toward the old working samba, and another one 
>toward the new 
>> domain. When I try to switch from the old to the new samba, 
>I shutdown 
>> the right interface, unlog and try to log with the root login of the 
>> new samba (I always wait few minutes in order to have the new pdc 
>> "recognized").
>> As I read that someone is able to upgrade his samba seamlessly by 
>> shutting down computers & samba (old & new), then starting new samba 
>> then computers, I have tried each time this procedure. However, I 
>> don't believe it is the problem : logs are the same if do the 
>> "shutdown/start" procedure or the simple "unlog/log" procedure.
>>
>> I put at the end of this mail ldap entries for each step made. So 
>> first, is the reference of a working machine account (achieved by 
>> joining manually the "new" domain) [1].
>>
>> Here are steps I have made:
>>
>> 1. I'm adding machine account using:
>>
>> #smbldap-useradd -W machine_account$
>>
>> Then I provide my machine account the same SID in ldap using:
>>
>> #pdbedit machine_account$ -U 
>> S-1-5-21-720590779-4203916555-4014520812-11343
>>
>> The result is [2], and I can't log with it. Logs tell me something 
>> like "Workstation machine_account$ doesn't have a 
>password"... Indeed, 
>> no sambaNTPassword here !
>>
>> 2. I want to manually provide sambaNTPassword. Here, no 
>samba command 
>> (pdbedit, smpasswd) provides me a way to do it, the only way I found 
>> is to adding it directly into LDAP (ldapadd or mod,...) [3].
>>
>> As we could pedict, it doesn't work (log as root). Since 
>> "sambaNTPassword" comes during the manual join procedure, it must be 
>> some kind of exchange between the workstation and the PDC.
>>
>> 3. The second idea is to import the old passdb backend into the new 
>> (ldap) using:
>>
>> #pdbedit -e tdbsam:export.tdb
>> on the old PDC, and then on the new PDC:
>>
>> #pdbedit -i tdbsam:export.tdb
>>
>> Everything works fine for import/export, giving me [4]. 
>Trying to log 
>> in with this fails : "Failed to find UNIX account for thorin$". If I 
>> add manually fields needed for a UNIX account (objectClass: 
>> posixAccount, etc...), it fails on a "credentials check fails" (same 
>> as step 1 when sambaNTPassword were missing).
>>
>> CONCLUSION:
>> In my opinion, it appears that sambaNTPassword is needed for 
>> workstation authentification and can be provided only by joining the 
>> domain manually (Computer -> Manage -> etc...).
>>
>> Ideas are seriously running out, I find very few stuff about 
>> sambaNTPassword and particularly about when (during the joining 
>> process ?), where (is it stored on workstation ? in a samba file ? 
>> only in the passdb backend ?) and why (security reasons I guess, 
>> avoiding name spoofing etc...? Not a crucial question).
>> Any help would be welcome !
>>
>>
>> REFERENCES LDAP ENTRIES:
>>
>> [1] Working machine account:
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>> objectClass: top
>> objectClass: account
>> objectClass: posixAccount
>> objectClass: sambaSamAccount
>> cn: thorin$
>> uid: thorin$
>> uidNumber: 1004
>> gidNumber: 515
>> homeDirectory: /dev/null
>> loginShell: /bin/false
>> description: Computer
>> gecos: Computer
>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
>> displayName: THORIN$
>> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
>> sambaPwdLastSet: 1304080571
>> sambaAcctFlags: [W          ]
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>>
>> [2] Machine account from command #smbldap-useradd -W, with a 
>corrected 
>> SID:
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>> cn: thorin$
>> uid: thorin$
>> uidNumber: 1002
>> gidNumber: 515
>> homeDirectory: /dev/null
>> loginShell: /bin/false
>> description: Computer
>> gecos: Computer
>> objectClass: posixAccount
>> objectClass: account
>> objectClass: sambaSamAccount
>> sambaLogonTime: 0
>> sambaLogoffTime: 2147483647
>> sambaKickoffTime: 2147483647
>> sambaPwdCanChange: 0
>> sambaPwdMustChange: 2147483647
>> sambaPwdLastSet: 1304078541
>> sambaAcctFlags: [W          ]
>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
>> displayName: thorin$
>> sambaDomainName: DOMAIN
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>>
>> [3] Same as above with a sambaNTPassword field entered through LDIF:
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>> // same as above
>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>>
>> [4] Entry from import:
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>> uid: thorin$
>>
>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>> sambaLogonScript: netlogon.bat
>> sambaLogonTime: 0
>> sambaLogoffTime: 0
>> sambaKickoffTime: 0
>> sambaPwdCanChange: 1303228739
>> sambaPwdMustChange: 2147483647
>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>> sambaPasswordHistory: 
>> 0000000000000000000000000000000000000000000000000000000000000000
>> sambaPwdLastSet: 1303228739
>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>> sambaAcctFlags: [W          ]
>> sambaBadPasswordCount: 0
>> sambaBadPasswordTime: 0
>>
>> objectClass: sambaSamAccount
>> objectClass: account
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list