[Samba] Issue providing seamless migrtion (3.0.24 to 3.5.6) - sambaNTPassword mystery

L.P.H. van Belle belle at bazuin.nl
Fri May 6 01:32:03 MDT 2011 

and i found this. 

"When migrating an existing machine account, you also have to invoke
smbldap-useradd -a computername$ after creating the account in order to
allow storing of encrypted password into the sambaNTPassword entry."

Louis


>-----Oorspronkelijk bericht-----
>Van: Nathan Mahu [mailto:nmahu at cyanide-studio.com] 
>Verzonden: 2011-05-05 18:22
>Aan: L.P.H. van Belle
>CC: samba at lists.samba.org
>Onderwerp: Re: [Samba] Issue providing seamless migrtion 
>(3.0.24 to 3.5.6) - sambaNTPassword mystery
>
>Sum up : still not work.
>
>Thank you for your attention Louis.
>
>"After updating the LDAP schema, do not forget to re-index the LDAP 
>database." - Some Samba-guide
>
>1. My schema is up to date since my old PDC wasn't using LDAP (but 
>mysql), the new PDC gave its OpenLDAP a fresh schema (3.5.6).
>
>2. However, I've tried reindexing after changes made through 
>raw LDIF. I 
>think indexes are just made to speed up search in LDAP, but I am so 
>despair that I tested.
>I remade the third procedure described in my original mail : 
>after each 
>modification made through ldif, I have reindexed everything 
>(slapd stop 
>- slapindex -slapd start). Nothing new : "credential fail".
>By the way, I have never seen any site saying "after an ldif 
>modification, run slapindex".
>
>Le 05/05/2011 14:38, L.P.H. van Belle a écrit :
>> Dit you update your samba.schema in ldap and did you reindex 
>you ldap database ?
>>
>> Greetz,
>>
>> Louis
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: nmahu at cyanide-studio.com
>>> [mailto:samba-bounces at lists.samba.org] Namens Nathan Mahu
>>> Verzonden: 2011-05-05 14:32
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Issue providing seamless migrtion
>>> (3.0.24 to 3.5.6) - sambaNTPassword mystery
>>>
>>> Still no idea ?
>>> Anyone knows about sambaNTPasword ?
>>> No one have ever experienced issues doing a seamless migration ?
>>>
>>>
>>> Le 02/05/2011 11:50, Nathan Mahu a écrit :
>>>> Hello everyone,
>>>>
>>>> I am operating a migration of samba from 3.0.24 (mysql
>>> passdb backend)
>>>> to 3.5.6 (openldap passdb), samba working as a domain
>>> controller (PDC)
>>>> and file share. The main challenge is to provide a seamless
>>> migration
>>>> for users.
>>>> For this new version, I am using smbldap-tools 0.9.6, nss_ldap,
>>>> openldap 2.4. Everything run on FreeBSD 8.2.
>>>>
>>>> To get used to samba, I have managed to make samba 3.5 
>work as a new
>>>> domain, computers joining it, etc... But since I want a seamless
>>>> migration, I now try to provide enough information to samba 3.5 to
>>>> auth users like the old version.
>>>>
>>>> Currently, I can't achieve to have machine accounts which can be on
>>>> the new domain with the samba root login, without joining 
>the domain
>>>> through windows manual procedure.
>>>> The new domain have the same "netbios name", "workgroup",
>>> domain SID,
>>>> local SID. And now the challenge is to fill accounts (users
>>> but first
>>>> workstation/machine) in ldap.
>>>> I have copy and paste every *.tdb file from the old samba to
>>> the new :
>>>> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+
>>> smbpasswd file).
>>>> Moreover, to test everything, I have a computer which have a
>>> ethernet
>>>> interface toward the old working samba, and another one
>>> toward the new
>>>> domain. When I try to switch from the old to the new samba,
>>> I shutdown
>>>> the right interface, unlog and try to log with the root 
>login of the
>>>> new samba (I always wait few minutes in order to have the new pdc
>>>> "recognized").
>>>> As I read that someone is able to upgrade his samba seamlessly by
>>>> shutting down computers&  samba (old&  new), then starting 
>new samba
>>>> then computers, I have tried each time this procedure. However, I
>>>> don't believe it is the problem : logs are the same if do the
>>>> "shutdown/start" procedure or the simple "unlog/log" procedure.
>>>>
>>>> I put at the end of this mail ldap entries for each step made. So
>>>> first, is the reference of a working machine account (achieved by
>>>> joining manually the "new" domain) [1].
>>>>
>>>> Here are steps I have made:
>>>>
>>>> 1. I'm adding machine account using:
>>>>
>>>> #smbldap-useradd -W machine_account$
>>>>
>>>> Then I provide my machine account the same SID in ldap using:
>>>>
>>>> #pdbedit machine_account$ -U
>>>> S-1-5-21-720590779-4203916555-4014520812-11343
>>>>
>>>> The result is [2], and I can't log with it. Logs tell me something
>>>> like "Workstation machine_account$ doesn't have a
>>> password"... Indeed,
>>>> no sambaNTPassword here !
>>>>
>>>> 2. I want to manually provide sambaNTPassword. Here, no
>>> samba command
>>>> (pdbedit, smpasswd) provides me a way to do it, the only 
>way I found
>>>> is to adding it directly into LDAP (ldapadd or mod,...) [3].
>>>>
>>>> As we could pedict, it doesn't work (log as root). Since
>>>> "sambaNTPassword" comes during the manual join procedure, 
>it must be
>>>> some kind of exchange between the workstation and the PDC.
>>>>
>>>> 3. The second idea is to import the old passdb backend into the new
>>>> (ldap) using:
>>>>
>>>> #pdbedit -e tdbsam:export.tdb
>>>> on the old PDC, and then on the new PDC:
>>>>
>>>> #pdbedit -i tdbsam:export.tdb
>>>>
>>>> Everything works fine for import/export, giving me [4].
>>> Trying to log
>>>> in with this fails : "Failed to find UNIX account for 
>thorin$". If I
>>>> add manually fields needed for a UNIX account (objectClass:
>>>> posixAccount, etc...), it fails on a "credentials check 
>fails" (same
>>>> as step 1 when sambaNTPassword were missing).
>>>>
>>>> CONCLUSION:
>>>> In my opinion, it appears that sambaNTPassword is needed for
>>>> workstation authentification and can be provided only by 
>joining the
>>>> domain manually (Computer ->  Manage ->  etc...).
>>>>
>>>> Ideas are seriously running out, I find very few stuff about
>>>> sambaNTPassword and particularly about when (during the joining
>>>> process ?), where (is it stored on workstation ? in a samba file ?
>>>> only in the passdb backend ?) and why (security reasons I guess,
>>>> avoiding name spoofing etc...? Not a crucial question).
>>>> Any help would be welcome !
>>>>
>>>>
>>>> REFERENCES LDAP ENTRIES:
>>>>
>>>> [1] Working machine account:
>>>>
>>> ---------------------------------------------------------------
>>> ----------------------------
>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>> objectClass: top
>>>> objectClass: account
>>>> objectClass: posixAccount
>>>> objectClass: sambaSamAccount
>>>> cn: thorin$
>>>> uid: thorin$
>>>> uidNumber: 1004
>>>> gidNumber: 515
>>>> homeDirectory: /dev/null
>>>> loginShell: /bin/false
>>>> description: Computer
>>>> gecos: Computer
>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
>>>> displayName: THORIN$
>>>> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
>>>> sambaPwdLastSet: 1304080571
>>>> sambaAcctFlags: [W          ]
>>>>
>>> ---------------------------------------------------------------
>>> ----------------------------
>>>>
>>>> [2] Machine account from command #smbldap-useradd -W, with a
>>> corrected
>>>> SID:
>>>>
>>> ---------------------------------------------------------------
>>> ----------------------------
>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>> cn: thorin$
>>>> uid: thorin$
>>>> uidNumber: 1002
>>>> gidNumber: 515
>>>> homeDirectory: /dev/null
>>>> loginShell: /bin/false
>>>> description: Computer
>>>> gecos: Computer
>>>> objectClass: posixAccount
>>>> objectClass: account
>>>> objectClass: sambaSamAccount
>>>> sambaLogonTime: 0
>>>> sambaLogoffTime: 2147483647
>>>> sambaKickoffTime: 2147483647
>>>> sambaPwdCanChange: 0
>>>> sambaPwdMustChange: 2147483647
>>>> sambaPwdLastSet: 1304078541
>>>> sambaAcctFlags: [W          ]
>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
>>>> displayName: thorin$
>>>> sambaDomainName: DOMAIN
>>>>
>>> ---------------------------------------------------------------
>>> ----------------------------
>>>>
>>>> [3] Same as above with a sambaNTPassword field entered 
>through LDIF:
>>>>
>>> ---------------------------------------------------------------
>>> ----------------------------
>>>> // same as above
>>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>>>
>>> ---------------------------------------------------------------
>>> ----------------------------
>>>>
>>>> [4] Entry from import:
>>>>
>>> ---------------------------------------------------------------
>>> ----------------------------
>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>> uid: thorin$
>>>>
>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>> sambaLogonScript: netlogon.bat
>>>> sambaLogonTime: 0
>>>> sambaLogoffTime: 0
>>>> sambaKickoffTime: 0
>>>> sambaPwdCanChange: 1303228739
>>>> sambaPwdMustChange: 2147483647
>>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>>> sambaPasswordHistory:
>>>> 0000000000000000000000000000000000000000000000000000000000000000
>>>> sambaPwdLastSet: 1303228739
>>>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>> sambaAcctFlags: [W          ]
>>>> sambaBadPasswordCount: 0
>>>> sambaBadPasswordTime: 0
>>>>
>>>> objectClass: sambaSamAccount
>>>> objectClass: account
>>>>
>>> ---------------------------------------------------------------
>>> ----------------------------
>>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
>

More information about the samba mailing list