[Samba] Issue providing seamless migrtion (3.0.24 to 3.5.6) - sambaNTPassword mystery
L.P.H. van Belle
belle at bazuin.nl
Thu May 5 06:38:11 MDT 2011
Dit you update your samba.schema in ldap and did you reindex you ldap database ?
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: nmahu at cyanide-studio.com
>[mailto:samba-bounces at lists.samba.org] Namens Nathan Mahu
>Verzonden: 2011-05-05 14:32
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Issue providing seamless migrtion
>(3.0.24 to 3.5.6) - sambaNTPassword mystery
>
>Still no idea ?
>Anyone knows about sambaNTPasword ?
>No one have ever experienced issues doing a seamless migration ?
>
>
>Le 02/05/2011 11:50, Nathan Mahu a écrit :
>> Hello everyone,
>>
>> I am operating a migration of samba from 3.0.24 (mysql
>passdb backend)
>> to 3.5.6 (openldap passdb), samba working as a domain
>controller (PDC)
>> and file share. The main challenge is to provide a seamless
>migration
>> for users.
>> For this new version, I am using smbldap-tools 0.9.6, nss_ldap,
>> openldap 2.4. Everything run on FreeBSD 8.2.
>>
>> To get used to samba, I have managed to make samba 3.5 work as a new
>> domain, computers joining it, etc... But since I want a seamless
>> migration, I now try to provide enough information to samba 3.5 to
>> auth users like the old version.
>>
>> Currently, I can't achieve to have machine accounts which can be on
>> the new domain with the samba root login, without joining the domain
>> through windows manual procedure.
>> The new domain have the same "netbios name", "workgroup",
>domain SID,
>> local SID. And now the challenge is to fill accounts (users
>but first
>> workstation/machine) in ldap.
>> I have copy and paste every *.tdb file from the old samba to
>the new :
>> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+
>smbpasswd file).
>> Moreover, to test everything, I have a computer which have a
>ethernet
>> interface toward the old working samba, and another one
>toward the new
>> domain. When I try to switch from the old to the new samba,
>I shutdown
>> the right interface, unlog and try to log with the root login of the
>> new samba (I always wait few minutes in order to have the new pdc
>> "recognized").
>> As I read that someone is able to upgrade his samba seamlessly by
>> shutting down computers & samba (old & new), then starting new samba
>> then computers, I have tried each time this procedure. However, I
>> don't believe it is the problem : logs are the same if do the
>> "shutdown/start" procedure or the simple "unlog/log" procedure.
>>
>> I put at the end of this mail ldap entries for each step made. So
>> first, is the reference of a working machine account (achieved by
>> joining manually the "new" domain) [1].
>>
>> Here are steps I have made:
>>
>> 1. I'm adding machine account using:
>>
>> #smbldap-useradd -W machine_account$
>>
>> Then I provide my machine account the same SID in ldap using:
>>
>> #pdbedit machine_account$ -U
>> S-1-5-21-720590779-4203916555-4014520812-11343
>>
>> The result is [2], and I can't log with it. Logs tell me something
>> like "Workstation machine_account$ doesn't have a
>password"... Indeed,
>> no sambaNTPassword here !
>>
>> 2. I want to manually provide sambaNTPassword. Here, no
>samba command
>> (pdbedit, smpasswd) provides me a way to do it, the only way I found
>> is to adding it directly into LDAP (ldapadd or mod,...) [3].
>>
>> As we could pedict, it doesn't work (log as root). Since
>> "sambaNTPassword" comes during the manual join procedure, it must be
>> some kind of exchange between the workstation and the PDC.
>>
>> 3. The second idea is to import the old passdb backend into the new
>> (ldap) using:
>>
>> #pdbedit -e tdbsam:export.tdb
>> on the old PDC, and then on the new PDC:
>>
>> #pdbedit -i tdbsam:export.tdb
>>
>> Everything works fine for import/export, giving me [4].
>Trying to log
>> in with this fails : "Failed to find UNIX account for thorin$". If I
>> add manually fields needed for a UNIX account (objectClass:
>> posixAccount, etc...), it fails on a "credentials check fails" (same
>> as step 1 when sambaNTPassword were missing).
>>
>> CONCLUSION:
>> In my opinion, it appears that sambaNTPassword is needed for
>> workstation authentification and can be provided only by joining the
>> domain manually (Computer -> Manage -> etc...).
>>
>> Ideas are seriously running out, I find very few stuff about
>> sambaNTPassword and particularly about when (during the joining
>> process ?), where (is it stored on workstation ? in a samba file ?
>> only in the passdb backend ?) and why (security reasons I guess,
>> avoiding name spoofing etc...? Not a crucial question).
>> Any help would be welcome !
>>
>>
>> REFERENCES LDAP ENTRIES:
>>
>> [1] Working machine account:
>>
>---------------------------------------------------------------
>----------------------------
>>
>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>> objectClass: top
>> objectClass: account
>> objectClass: posixAccount
>> objectClass: sambaSamAccount
>> cn: thorin$
>> uid: thorin$
>> uidNumber: 1004
>> gidNumber: 515
>> homeDirectory: /dev/null
>> loginShell: /bin/false
>> description: Computer
>> gecos: Computer
>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
>> displayName: THORIN$
>> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
>> sambaPwdLastSet: 1304080571
>> sambaAcctFlags: [W ]
>>
>---------------------------------------------------------------
>----------------------------
>>
>>
>> [2] Machine account from command #smbldap-useradd -W, with a
>corrected
>> SID:
>>
>---------------------------------------------------------------
>----------------------------
>>
>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>> cn: thorin$
>> uid: thorin$
>> uidNumber: 1002
>> gidNumber: 515
>> homeDirectory: /dev/null
>> loginShell: /bin/false
>> description: Computer
>> gecos: Computer
>> objectClass: posixAccount
>> objectClass: account
>> objectClass: sambaSamAccount
>> sambaLogonTime: 0
>> sambaLogoffTime: 2147483647
>> sambaKickoffTime: 2147483647
>> sambaPwdCanChange: 0
>> sambaPwdMustChange: 2147483647
>> sambaPwdLastSet: 1304078541
>> sambaAcctFlags: [W ]
>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
>> displayName: thorin$
>> sambaDomainName: DOMAIN
>>
>---------------------------------------------------------------
>----------------------------
>>
>>
>> [3] Same as above with a sambaNTPassword field entered through LDIF:
>>
>---------------------------------------------------------------
>----------------------------
>>
>> // same as above
>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>
>---------------------------------------------------------------
>----------------------------
>>
>>
>> [4] Entry from import:
>>
>---------------------------------------------------------------
>----------------------------
>>
>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>> uid: thorin$
>>
>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>> sambaLogonScript: netlogon.bat
>> sambaLogonTime: 0
>> sambaLogoffTime: 0
>> sambaKickoffTime: 0
>> sambaPwdCanChange: 1303228739
>> sambaPwdMustChange: 2147483647
>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>> sambaPasswordHistory:
>> 0000000000000000000000000000000000000000000000000000000000000000
>> sambaPwdLastSet: 1303228739
>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>> sambaAcctFlags: [W ]
>> sambaBadPasswordCount: 0
>> sambaBadPasswordTime: 0
>>
>> objectClass: sambaSamAccount
>> objectClass: account
>>
>---------------------------------------------------------------
>----------------------------
>>
>>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list