[Samba] Issue providing seamless migrtion (3.0.24 to 3.5.6) - sambaNTPassword mystery

Nathan Mahu nmahu at cyanide-studio.com
Wed May 11 09:50:50 MDT 2011


I finally solved my problem.
The pdbedit import/export process gave me a sambaNTPassword field with a 
WRONG value... If I ask mysql a machine sambaNTPassword, it is different 
from the one gave to the same machine by pdbedit -i tdbsam:export.tdb 
(looking at it in LDAP).
So I imported accounts, added UNIX accounts to my machine, corrected 
some fields and last but not least : I corrected the sambaNTPassword field.
I should precise that moreover I used to import from old file a 
"wins.dat", which should be removed according to samba howto 
[migration]. But in my opinion, the trick was on the sambaNTPassword 
since logs were saying "credentials check fail".

Thank you one more time Louis.




Le 06/05/2011 17:02, Nathan Mahu a écrit :
> Thank you one more time for your help Louis ! But I still fail :-(
>
> ### FIRST ANSWER ###
>
> Back to my first mail, the third step (ldif [3]), I was saying "adding 
> posixAccount object", but I added the "top" object too. That was the 
> idea : comparing a working ldiff with others and manual tweak of each 
> fields.
>
> Concerning the "getent passwd", I see every account that have a 
> "posixAccount" object filled. It works for both automatic & manual add 
> of the posixAccount part. More precisely, when it misses 
> "posixAccount", logs tell me about it, when I add it manually (ldif 
> process), it finds the Unix account.
>
> About "displayName: THORIN$", it is filled when I manually joined the 
> domain to create the working LDIF. I have tried 2 or 3 times to add 
> it, but honestly, I think a "displayName" is only a superficial 
> stuff... Moreover, with a thorin$ account WITHOUT displayName, in 
> samba logs requests to ldap are made with "THORIN$" and acknowledges 
> with "thorin$ found". It uses cn field, I really don't think 
> displayName is important.
>
> "The [2] ldif looks like a user account". I don't get what makes you 
> think that. However, users account and machine accounts are really 
> close in samba. Cn names have a $ for computers, and each time (for 
> [1]to [3]), it is dn:
> uid=thorin$,ou=Computers,dc=domain,dc=com", meaning it is in the right 
> OU. Accounts added by smbldap-tools go in the right OU according to if 
> it is a machine or user account.
>
> Finally, "smbldap-useradd -wi machine_account$" makes fails with the 
> following log : "WORKSTATION secure channel requested but not a 
> workstation trust account" [...] "failed to get machine password for 
> account THORIN$ : NT_STATUS_NO_TRUST_SAM_ACCOUNT". Important about 
> this : LDIF presents flags as [UX] and not the old good machine flag 
> [W]... I'm not sure trust account stuff is for simple workstation but 
> honestly, I haven't read much about it.
>
>
> Le 06/05/2011 09:28, L.P.H. van Belle a écrit :
>> Hi,
>>
>> compair the working computer ldiff and the not working ldiff.
>> the import ldiff is missing
>> [2]
>>>>>> objectClass: top
>> i dont know if its needed, but you can try it.
>>
>> if you do getent passwd on the new samba server, does it display your 
>> new computer account.
>> Also, i see.
>> in [1]
>> displayName: THORIN$
>>>>>> uidNumber: 1004
>>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
>> and [2]
>> displayName: thorin$
>>>>>> uidNumber: 1002
>>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>>> sambaLogonTime: 0
>>>>>> sambaLogoffTime: 2147483647
>>>>>> sambaKickoffTime: 2147483647
>>>>>> sambaPwdCanChange: 0
>>>>>> sambaPwdMustChange: 2147483647
>>>>>> sambaPwdLastSet: 1304078541
>> make sure its how you computer name (displayName) is caps and no caps.
>> i'm trying to narrowing down the options here..
>> Also the computer [2] looks like a new created user, not a computer.
>>
>> is the new computer in the correct OU?
>> smbldap-useradd --help | grep unit
>> -o    add the user in the organizational unit (relative to the user 
>> suffix. Ex: 'ou=admin,ou=all')
>> ( see user as computer )
>>
>> also can you try
>> smbldap-useradd -wi machine_account$
>> and report back te results.
>>
>>
>> Louis
>>
>>
>>
>
>
>
>
> Le 06/05/2011 09:32, L.P.H. van Belle a écrit :
>> and i found this.
>>
>> "When migrating an existing machine account, you also have to invoke
>> smbldap-useradd -a computername$ after creating the account in order to
>> allow storing of encrypted password into the sambaNTPassword entry."
>>
>> Louis
>
> ### SECOND ANSWER ###
>
> I think it is very like using "smbldap-useradd -W thorin$"... However 
> I have made some try to create account in two steps, after importing 
> machine account, either after creating it manually with only -w, etc...
>
> Always fails with the "credential checks" wrong.
>
> Moreover, I found this : 
> http://www.mail-archive.com/linux-390@vm.marist.edu/msg30492.html
> It seems it is possible to enters fields missing (sambaNTPassword) 
> with simple ldif and make it work. I tried 3 or 4 time with different 
> approaches (imports machine account, manual create, etc..). SAME ERROR.
>
> I really dont get it. And it really misses some documentation on low 
> level functionnalities to create some little hacks to be able to 
> proceed a smealess migration.
>
>
>
>
>
>
>
>
>
>
>
>
>
>>> -----Oorspronkelijk bericht-----
>>> Van: Nathan Mahu [mailto:nmahu at cyanide-studio.com]
>>> Verzonden: 2011-05-05 18:22
>>> Aan: L.P.H. van Belle
>>> CC: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Issue providing seamless migrtion
>>> (3.0.24 to 3.5.6) - sambaNTPassword mystery
>>>
>>> Sum up : still not work.
>>>
>>> Thank you for your attention Louis.
>>>
>>> "After updating the LDAP schema, do not forget to re-index the LDAP
>>> database." - Some Samba-guide
>>>
>>> 1. My schema is up to date since my old PDC wasn't using LDAP (but
>>> mysql), the new PDC gave its OpenLDAP a fresh schema (3.5.6).
>>>
>>> 2. However, I've tried reindexing after changes made through
>>> raw LDIF. I
>>> think indexes are just made to speed up search in LDAP, but I am so
>>> despair that I tested.
>>> I remade the third procedure described in my original mail :
>>> after each
>>> modification made through ldif, I have reindexed everything
>>> (slapd stop
>>> - slapindex -slapd start). Nothing new : "credential fail".
>>> By the way, I have never seen any site saying "after an ldif
>>> modification, run slapindex".
>>>
>>> Le 05/05/2011 14:38, L.P.H. van Belle a écrit :
>>>> Dit you update your samba.schema in ldap and did you reindex
>>> you ldap database ?
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: nmahu at cyanide-studio.com
>>>>> [mailto:samba-bounces at lists.samba.org] Namens Nathan Mahu
>>>>> Verzonden: 2011-05-05 14:32
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] Issue providing seamless migrtion
>>>>> (3.0.24 to 3.5.6) - sambaNTPassword mystery
>>>>>
>>>>> Still no idea ?
>>>>> Anyone knows about sambaNTPasword ?
>>>>> No one have ever experienced issues doing a seamless migration ?
>>>>>
>>>>>
>>>>> Le 02/05/2011 11:50, Nathan Mahu a écrit :
>>>>>> Hello everyone,
>>>>>>
>>>>>> I am operating a migration of samba from 3.0.24 (mysql
>>>>> passdb backend)
>>>>>> to 3.5.6 (openldap passdb), samba working as a domain
>>>>> controller (PDC)
>>>>>> and file share. The main challenge is to provide a seamless
>>>>> migration
>>>>>> for users.
>>>>>> For this new version, I am using smbldap-tools 0.9.6, nss_ldap,
>>>>>> openldap 2.4. Everything run on FreeBSD 8.2.
>>>>>>
>>>>>> To get used to samba, I have managed to make samba 3.5
>>> work as a new
>>>>>> domain, computers joining it, etc... But since I want a seamless
>>>>>> migration, I now try to provide enough information to samba 3.5 to
>>>>>> auth users like the old version.
>>>>>>
>>>>>> Currently, I can't achieve to have machine accounts which can be on
>>>>>> the new domain with the samba root login, without joining
>>> the domain
>>>>>> through windows manual procedure.
>>>>>> The new domain have the same "netbios name", "workgroup",
>>>>> domain SID,
>>>>>> local SID. And now the challenge is to fill accounts (users
>>>>> but first
>>>>>> workstation/machine) in ldap.
>>>>>> I have copy and paste every *.tdb file from the old samba to
>>>>> the new :
>>>>>> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+
>>>>> smbpasswd file).
>>>>>> Moreover, to test everything, I have a computer which have a
>>>>> ethernet
>>>>>> interface toward the old working samba, and another one
>>>>> toward the new
>>>>>> domain. When I try to switch from the old to the new samba,
>>>>> I shutdown
>>>>>> the right interface, unlog and try to log with the root
>>> login of the
>>>>>> new samba (I always wait few minutes in order to have the new pdc
>>>>>> "recognized").
>>>>>> As I read that someone is able to upgrade his samba seamlessly by
>>>>>> shutting down computers&   samba (old&   new), then starting
>>> new samba
>>>>>> then computers, I have tried each time this procedure. However, I
>>>>>> don't believe it is the problem : logs are the same if do the
>>>>>> "shutdown/start" procedure or the simple "unlog/log" procedure.
>>>>>>
>>>>>> I put at the end of this mail ldap entries for each step made. So
>>>>>> first, is the reference of a working machine account (achieved by
>>>>>> joining manually the "new" domain) [1].
>>>>>>
>>>>>> Here are steps I have made:
>>>>>>
>>>>>> 1. I'm adding machine account using:
>>>>>>
>>>>>> #smbldap-useradd -W machine_account$
>>>>>>
>>>>>> Then I provide my machine account the same SID in ldap using:
>>>>>>
>>>>>> #pdbedit machine_account$ -U
>>>>>> S-1-5-21-720590779-4203916555-4014520812-11343
>>>>>>
>>>>>> The result is [2], and I can't log with it. Logs tell me something
>>>>>> like "Workstation machine_account$ doesn't have a
>>>>> password"... Indeed,
>>>>>> no sambaNTPassword here !
>>>>>>
>>>>>> 2. I want to manually provide sambaNTPassword. Here, no
>>>>> samba command
>>>>>> (pdbedit, smpasswd) provides me a way to do it, the only
>>> way I found
>>>>>> is to adding it directly into LDAP (ldapadd or mod,...) [3].
>>>>>>
>>>>>> As we could pedict, it doesn't work (log as root). Since
>>>>>> "sambaNTPassword" comes during the manual join procedure,
>>> it must be
>>>>>> some kind of exchange between the workstation and the PDC.
>>>>>>
>>>>>> 3. The second idea is to import the old passdb backend into the new
>>>>>> (ldap) using:
>>>>>>
>>>>>> #pdbedit -e tdbsam:export.tdb
>>>>>> on the old PDC, and then on the new PDC:
>>>>>>
>>>>>> #pdbedit -i tdbsam:export.tdb
>>>>>>
>>>>>> Everything works fine for import/export, giving me [4].
>>>>> Trying to log
>>>>>> in with this fails : "Failed to find UNIX account for
>>> thorin$". If I
>>>>>> add manually fields needed for a UNIX account (objectClass:
>>>>>> posixAccount, etc...), it fails on a "credentials check
>>> fails" (same
>>>>>> as step 1 when sambaNTPassword were missing).
>>>>>>
>>>>>> CONCLUSION:
>>>>>> In my opinion, it appears that sambaNTPassword is needed for
>>>>>> workstation authentification and can be provided only by
>>> joining the
>>>>>> domain manually (Computer ->   Manage ->   etc...).
>>>>>>
>>>>>> Ideas are seriously running out, I find very few stuff about
>>>>>> sambaNTPassword and particularly about when (during the joining
>>>>>> process ?), where (is it stored on workstation ? in a samba file ?
>>>>>> only in the passdb backend ?) and why (security reasons I guess,
>>>>>> avoiding name spoofing etc...? Not a crucial question).
>>>>>> Any help would be welcome !
>>>>>>
>>>>>>
>>>>>> REFERENCES LDAP ENTRIES:
>>>>>>
>>>>>> [1] Working machine account:
>>>>>>
>>>>> ---------------------------------------------------------------
>>>>> ----------------------------
>>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>>> objectClass: top
>>>>>> objectClass: account
>>>>>> objectClass: posixAccount
>>>>>> objectClass: sambaSamAccount
>>>>>> cn: thorin$
>>>>>> uid: thorin$
>>>>>> uidNumber: 1004
>>>>>> gidNumber: 515
>>>>>> homeDirectory: /dev/null
>>>>>> loginShell: /bin/false
>>>>>> description: Computer
>>>>>> gecos: Computer
>>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
>>>>>> displayName: THORIN$
>>>>>> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
>>>>>> sambaPwdLastSet: 1304080571
>>>>>> sambaAcctFlags: [W          ]
>>>>>>
>>>>> ---------------------------------------------------------------
>>>>> ----------------------------
>>>>>> [2] Machine account from command #smbldap-useradd -W, with a
>>>>> corrected
>>>>>> SID:
>>>>>>
>>>>> ---------------------------------------------------------------
>>>>> ----------------------------
>>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>>> cn: thorin$
>>>>>> uid: thorin$
>>>>>> uidNumber: 1002
>>>>>> gidNumber: 515
>>>>>> homeDirectory: /dev/null
>>>>>> loginShell: /bin/false
>>>>>> description: Computer
>>>>>> gecos: Computer
>>>>>> objectClass: posixAccount
>>>>>> objectClass: account
>>>>>> objectClass: sambaSamAccount
>>>>>> sambaLogonTime: 0
>>>>>> sambaLogoffTime: 2147483647
>>>>>> sambaKickoffTime: 2147483647
>>>>>> sambaPwdCanChange: 0
>>>>>> sambaPwdMustChange: 2147483647
>>>>>> sambaPwdLastSet: 1304078541
>>>>>> sambaAcctFlags: [W          ]
>>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>>> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
>>>>>> displayName: thorin$
>>>>>> sambaDomainName: DOMAIN
>>>>>>
>>>>> ---------------------------------------------------------------
>>>>> ----------------------------
>>>>>> [3] Same as above with a sambaNTPassword field entered
>>> through LDIF:
>>>>> ---------------------------------------------------------------
>>>>> ----------------------------
>>>>>> // same as above
>>>>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>>>>>
>>>>> ---------------------------------------------------------------
>>>>> ----------------------------
>>>>>> [4] Entry from import:
>>>>>>
>>>>> ---------------------------------------------------------------
>>>>> ----------------------------
>>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>>> uid: thorin$
>>>>>>
>>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>>> sambaLogonScript: netlogon.bat
>>>>>> sambaLogonTime: 0
>>>>>> sambaLogoffTime: 0
>>>>>> sambaKickoffTime: 0
>>>>>> sambaPwdCanChange: 1303228739
>>>>>> sambaPwdMustChange: 2147483647
>>>>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>>>>> sambaPasswordHistory:
>>>>>> 0000000000000000000000000000000000000000000000000000000000000000
>>>>>> sambaPwdLastSet: 1303228739
>>>>>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>>>> sambaAcctFlags: [W          ]
>>>>>> sambaBadPasswordCount: 0
>>>>>> sambaBadPasswordTime: 0
>>>>>>
>>>>>> objectClass: sambaSamAccount
>>>>>> objectClass: account
>>>>>>
>>>>> ---------------------------------------------------------------
>>>>> ----------------------------
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>
>



More information about the samba mailing list