[Samba] Issue providing seamless migrtion (3.0.24 to 3.5.6) - sambaNTPassword mystery

Nathan Mahu nmahu at cyanide-studio.com
Thu May 5 10:22:15 MDT 2011 

Sum up : still not work.

Thank you for your attention Louis.

"After updating the LDAP schema, do not forget to re-index the LDAP 
database." - Some Samba-guide

1. My schema is up to date since my old PDC wasn't using LDAP (but 
mysql), the new PDC gave its OpenLDAP a fresh schema (3.5.6).

2. However, I've tried reindexing after changes made through raw LDIF. I 
think indexes are just made to speed up search in LDAP, but I am so 
despair that I tested.
I remade the third procedure described in my original mail : after each 
modification made through ldif, I have reindexed everything (slapd stop 
- slapindex -slapd start). Nothing new : "credential fail".
By the way, I have never seen any site saying "after an ldif 
modification, run slapindex".

Le 05/05/2011 14:38, L.P.H. van Belle a écrit :
> Dit you update your samba.schema in ldap and did you reindex you ldap database ?
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: nmahu at cyanide-studio.com
>> [mailto:samba-bounces at lists.samba.org] Namens Nathan Mahu
>> Verzonden: 2011-05-05 14:32
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Issue providing seamless migrtion
>> (3.0.24 to 3.5.6) - sambaNTPassword mystery
>>
>> Still no idea ?
>> Anyone knows about sambaNTPasword ?
>> No one have ever experienced issues doing a seamless migration ?
>>
>>
>> Le 02/05/2011 11:50, Nathan Mahu a écrit :
>>> Hello everyone,
>>>
>>> I am operating a migration of samba from 3.0.24 (mysql
>> passdb backend)
>>> to 3.5.6 (openldap passdb), samba working as a domain
>> controller (PDC)
>>> and file share. The main challenge is to provide a seamless
>> migration
>>> for users.
>>> For this new version, I am using smbldap-tools 0.9.6, nss_ldap,
>>> openldap 2.4. Everything run on FreeBSD 8.2.
>>>
>>> To get used to samba, I have managed to make samba 3.5 work as a new
>>> domain, computers joining it, etc... But since I want a seamless
>>> migration, I now try to provide enough information to samba 3.5 to
>>> auth users like the old version.
>>>
>>> Currently, I can't achieve to have machine accounts which can be on
>>> the new domain with the samba root login, without joining the domain
>>> through windows manual procedure.
>>> The new domain have the same "netbios name", "workgroup",
>> domain SID,
>>> local SID. And now the challenge is to fill accounts (users
>> but first
>>> workstation/machine) in ldap.
>>> I have copy and paste every *.tdb file from the old samba to
>> the new :
>>> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+
>> smbpasswd file).
>>> Moreover, to test everything, I have a computer which have a
>> ethernet
>>> interface toward the old working samba, and another one
>> toward the new
>>> domain. When I try to switch from the old to the new samba,
>> I shutdown
>>> the right interface, unlog and try to log with the root login of the
>>> new samba (I always wait few minutes in order to have the new pdc
>>> "recognized").
>>> As I read that someone is able to upgrade his samba seamlessly by
>>> shutting down computers&  samba (old&  new), then starting new samba
>>> then computers, I have tried each time this procedure. However, I
>>> don't believe it is the problem : logs are the same if do the
>>> "shutdown/start" procedure or the simple "unlog/log" procedure.
>>>
>>> I put at the end of this mail ldap entries for each step made. So
>>> first, is the reference of a working machine account (achieved by
>>> joining manually the "new" domain) [1].
>>>
>>> Here are steps I have made:
>>>
>>> 1. I'm adding machine account using:
>>>
>>> #smbldap-useradd -W machine_account$
>>>
>>> Then I provide my machine account the same SID in ldap using:
>>>
>>> #pdbedit machine_account$ -U
>>> S-1-5-21-720590779-4203916555-4014520812-11343
>>>
>>> The result is [2], and I can't log with it. Logs tell me something
>>> like "Workstation machine_account$ doesn't have a
>> password"... Indeed,
>>> no sambaNTPassword here !
>>>
>>> 2. I want to manually provide sambaNTPassword. Here, no
>> samba command
>>> (pdbedit, smpasswd) provides me a way to do it, the only way I found
>>> is to adding it directly into LDAP (ldapadd or mod,...) [3].
>>>
>>> As we could pedict, it doesn't work (log as root). Since
>>> "sambaNTPassword" comes during the manual join procedure, it must be
>>> some kind of exchange between the workstation and the PDC.
>>>
>>> 3. The second idea is to import the old passdb backend into the new
>>> (ldap) using:
>>>
>>> #pdbedit -e tdbsam:export.tdb
>>> on the old PDC, and then on the new PDC:
>>>
>>> #pdbedit -i tdbsam:export.tdb
>>>
>>> Everything works fine for import/export, giving me [4].
>> Trying to log
>>> in with this fails : "Failed to find UNIX account for thorin$". If I
>>> add manually fields needed for a UNIX account (objectClass:
>>> posixAccount, etc...), it fails on a "credentials check fails" (same
>>> as step 1 when sambaNTPassword were missing).
>>>
>>> CONCLUSION:
>>> In my opinion, it appears that sambaNTPassword is needed for
>>> workstation authentification and can be provided only by joining the
>>> domain manually (Computer ->  Manage ->  etc...).
>>>
>>> Ideas are seriously running out, I find very few stuff about
>>> sambaNTPassword and particularly about when (during the joining
>>> process ?), where (is it stored on workstation ? in a samba file ?
>>> only in the passdb backend ?) and why (security reasons I guess,
>>> avoiding name spoofing etc...? Not a crucial question).
>>> Any help would be welcome !
>>>
>>>
>>> REFERENCES LDAP ENTRIES:
>>>
>>> [1] Working machine account:
>>>
>> ---------------------------------------------------------------
>> ----------------------------
>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>> objectClass: top
>>> objectClass: account
>>> objectClass: posixAccount
>>> objectClass: sambaSamAccount
>>> cn: thorin$
>>> uid: thorin$
>>> uidNumber: 1004
>>> gidNumber: 515
>>> homeDirectory: /dev/null
>>> loginShell: /bin/false
>>> description: Computer
>>> gecos: Computer
>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
>>> displayName: THORIN$
>>> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
>>> sambaPwdLastSet: 1304080571
>>> sambaAcctFlags: [W          ]
>>>
>> ---------------------------------------------------------------
>> ----------------------------
>>>
>>> [2] Machine account from command #smbldap-useradd -W, with a
>> corrected
>>> SID:
>>>
>> ---------------------------------------------------------------
>> ----------------------------
>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>> cn: thorin$
>>> uid: thorin$
>>> uidNumber: 1002
>>> gidNumber: 515
>>> homeDirectory: /dev/null
>>> loginShell: /bin/false
>>> description: Computer
>>> gecos: Computer
>>> objectClass: posixAccount
>>> objectClass: account
>>> objectClass: sambaSamAccount
>>> sambaLogonTime: 0
>>> sambaLogoffTime: 2147483647
>>> sambaKickoffTime: 2147483647
>>> sambaPwdCanChange: 0
>>> sambaPwdMustChange: 2147483647
>>> sambaPwdLastSet: 1304078541
>>> sambaAcctFlags: [W          ]
>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
>>> displayName: thorin$
>>> sambaDomainName: DOMAIN
>>>
>> ---------------------------------------------------------------
>> ----------------------------
>>>
>>> [3] Same as above with a sambaNTPassword field entered through LDIF:
>>>
>> ---------------------------------------------------------------
>> ----------------------------
>>> // same as above
>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>>
>> ---------------------------------------------------------------
>> ----------------------------
>>>
>>> [4] Entry from import:
>>>
>> ---------------------------------------------------------------
>> ----------------------------
>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>> uid: thorin$
>>>
>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>> sambaLogonScript: netlogon.bat
>>> sambaLogonTime: 0
>>> sambaLogoffTime: 0
>>> sambaKickoffTime: 0
>>> sambaPwdCanChange: 1303228739
>>> sambaPwdMustChange: 2147483647
>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>> sambaPasswordHistory:
>>> 0000000000000000000000000000000000000000000000000000000000000000
>>> sambaPwdLastSet: 1303228739
>>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>> sambaAcctFlags: [W          ]
>>> sambaBadPasswordCount: 0
>>> sambaBadPasswordTime: 0
>>>
>>> objectClass: sambaSamAccount
>>> objectClass: account
>>>
>> ---------------------------------------------------------------
>> ----------------------------
>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

More information about the samba mailing list