[Samba] Issue providing seamless migrtion (3.0.24 to 3.5.6) - sambaNTPassword mystery

Nathan Mahu nmahu at cyanide-studio.com
Wed May 18 01:55:22 MDT 2011 

I would like to correct myself...
I previously thought that pdbedit was giving me wrong sambaNTPassword 
during the export/import process. Now I understand what happened. It 
just appeared that the sambaNTPassword for a given computer is renewed 
at least each time this computer join a domain. My problem was I made 
the export some time ago and since my test computer joined some domains.
And for additionnal details : I can do my seamless migration without 
importing *.tdb files from the old server. I just need to have correct 
accounts (SID and sambaNTPassword) for computers.


Le 11/05/2011 17:50, Nathan Mahu a écrit :
> I finally solved my problem.
> The pdbedit import/export process gave me a sambaNTPassword field with 
> a WRONG value... If I ask mysql a machine sambaNTPassword, it is 
> different from the one gave to the same machine by pdbedit -i 
> tdbsam:export.tdb (looking at it in LDAP).
> So I imported accounts, added UNIX accounts to my machine, corrected 
> some fields and last but not least : I corrected the sambaNTPassword 
> field.
> I should precise that moreover I used to import from old file a 
> "wins.dat", which should be removed according to samba howto 
> [migration]. But in my opinion, the trick was on the sambaNTPassword 
> since logs were saying "credentials check fail".
>
> Thank you one more time Louis.
>
>
>
>
> Le 06/05/2011 17:02, Nathan Mahu a écrit :
>> Thank you one more time for your help Louis ! But I still fail :-(
>>
>> ### FIRST ANSWER ###
>>
>> Back to my first mail, the third step (ldif [3]), I was saying 
>> "adding posixAccount object", but I added the "top" object too. That 
>> was the idea : comparing a working ldiff with others and manual tweak 
>> of each fields.
>>
>> Concerning the "getent passwd", I see every account that have a 
>> "posixAccount" object filled. It works for both automatic & manual 
>> add of the posixAccount part. More precisely, when it misses 
>> "posixAccount", logs tell me about it, when I add it manually (ldif 
>> process), it finds the Unix account.
>>
>> About "displayName: THORIN$", it is filled when I manually joined the 
>> domain to create the working LDIF. I have tried 2 or 3 times to add 
>> it, but honestly, I think a "displayName" is only a superficial 
>> stuff... Moreover, with a thorin$ account WITHOUT displayName, in 
>> samba logs requests to ldap are made with "THORIN$" and acknowledges 
>> with "thorin$ found". It uses cn field, I really don't think 
>> displayName is important.
>>
>> "The [2] ldif looks like a user account". I don't get what makes you 
>> think that. However, users account and machine accounts are really 
>> close in samba. Cn names have a $ for computers, and each time (for 
>> [1]to [3]), it is dn:
>> uid=thorin$,ou=Computers,dc=domain,dc=com", meaning it is in the 
>> right OU. Accounts added by smbldap-tools go in the right OU 
>> according to if it is a machine or user account.
>>
>> Finally, "smbldap-useradd -wi machine_account$" makes fails with the 
>> following log : "WORKSTATION secure channel requested but not a 
>> workstation trust account" [...] "failed to get machine password for 
>> account THORIN$ : NT_STATUS_NO_TRUST_SAM_ACCOUNT". Important about 
>> this : LDIF presents flags as [UX] and not the old good machine flag 
>> [W]... I'm not sure trust account stuff is for simple workstation but 
>> honestly, I haven't read much about it.
>>
>>
>> Le 06/05/2011 09:28, L.P.H. van Belle a écrit :
>>> Hi,
>>>
>>> compair the working computer ldiff and the not working ldiff.
>>> the import ldiff is missing
>>> [2]
>>>>>>> objectClass: top
>>> i dont know if its needed, but you can try it.
>>>
>>> if you do getent passwd on the new samba server, does it display 
>>> your new computer account.
>>> Also, i see.
>>> in [1]
>>> displayName: THORIN$
>>>>>>> uidNumber: 1004
>>>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
>>> and [2]
>>> displayName: thorin$
>>>>>>> uidNumber: 1002
>>>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>>>> sambaLogonTime: 0
>>>>>>> sambaLogoffTime: 2147483647
>>>>>>> sambaKickoffTime: 2147483647
>>>>>>> sambaPwdCanChange: 0
>>>>>>> sambaPwdMustChange: 2147483647
>>>>>>> sambaPwdLastSet: 1304078541
>>> make sure its how you computer name (displayName) is caps and no caps.
>>> i'm trying to narrowing down the options here..
>>> Also the computer [2] looks like a new created user, not a computer.
>>>
>>> is the new computer in the correct OU?
>>> smbldap-useradd --help | grep unit
>>> -o    add the user in the organizational unit (relative to the user 
>>> suffix. Ex: 'ou=admin,ou=all')
>>> ( see user as computer )
>>>
>>> also can you try
>>> smbldap-useradd -wi machine_account$
>>> and report back te results.
>>>
>>>
>>> Louis
>>>
>>>
>>>
>>
>>
>>
>>
>> Le 06/05/2011 09:32, L.P.H. van Belle a écrit :
>>> and i found this.
>>>
>>> "When migrating an existing machine account, you also have to invoke
>>> smbldap-useradd -a computername$ after creating the account in order to
>>> allow storing of encrypted password into the sambaNTPassword entry."
>>>
>>> Louis
>>
>> ### SECOND ANSWER ###
>>
>> I think it is very like using "smbldap-useradd -W thorin$"... However 
>> I have made some try to create account in two steps, after importing 
>> machine account, either after creating it manually with only -w, etc...
>>
>> Always fails with the "credential checks" wrong.
>>
>> Moreover, I found this : 
>> http://www.mail-archive.com/linux-390@vm.marist.edu/msg30492.html
>> It seems it is possible to enters fields missing (sambaNTPassword) 
>> with simple ldif and make it work. I tried 3 or 4 time with different 
>> approaches (imports machine account, manual create, etc..). SAME ERROR.
>>
>> I really dont get it. And it really misses some documentation on low 
>> level functionnalities to create some little hacks to be able to 
>> proceed a smealess migration.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Nathan Mahu [mailto:nmahu at cyanide-studio.com]
>>>> Verzonden: 2011-05-05 18:22
>>>> Aan: L.P.H. van Belle
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Issue providing seamless migrtion
>>>> (3.0.24 to 3.5.6) - sambaNTPassword mystery
>>>>
>>>> Sum up : still not work.
>>>>
>>>> Thank you for your attention Louis.
>>>>
>>>> "After updating the LDAP schema, do not forget to re-index the LDAP
>>>> database." - Some Samba-guide
>>>>
>>>> 1. My schema is up to date since my old PDC wasn't using LDAP (but
>>>> mysql), the new PDC gave its OpenLDAP a fresh schema (3.5.6).
>>>>
>>>> 2. However, I've tried reindexing after changes made through
>>>> raw LDIF. I
>>>> think indexes are just made to speed up search in LDAP, but I am so
>>>> despair that I tested.
>>>> I remade the third procedure described in my original mail :
>>>> after each
>>>> modification made through ldif, I have reindexed everything
>>>> (slapd stop
>>>> - slapindex -slapd start). Nothing new : "credential fail".
>>>> By the way, I have never seen any site saying "after an ldif
>>>> modification, run slapindex".
>>>>
>>>> Le 05/05/2011 14:38, L.P.H. van Belle a écrit :
>>>>> Dit you update your samba.schema in ldap and did you reindex
>>>> you ldap database ?
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: nmahu at cyanide-studio.com
>>>>>> [mailto:samba-bounces at lists.samba.org] Namens Nathan Mahu
>>>>>> Verzonden: 2011-05-05 14:32
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] Issue providing seamless migrtion
>>>>>> (3.0.24 to 3.5.6) - sambaNTPassword mystery
>>>>>>
>>>>>> Still no idea ?
>>>>>> Anyone knows about sambaNTPasword ?
>>>>>> No one have ever experienced issues doing a seamless migration ?
>>>>>>
>>>>>>
>>>>>> Le 02/05/2011 11:50, Nathan Mahu a écrit :
>>>>>>> Hello everyone,
>>>>>>>
>>>>>>> I am operating a migration of samba from 3.0.24 (mysql
>>>>>> passdb backend)
>>>>>>> to 3.5.6 (openldap passdb), samba working as a domain
>>>>>> controller (PDC)
>>>>>>> and file share. The main challenge is to provide a seamless
>>>>>> migration
>>>>>>> for users.
>>>>>>> For this new version, I am using smbldap-tools 0.9.6, nss_ldap,
>>>>>>> openldap 2.4. Everything run on FreeBSD 8.2.
>>>>>>>
>>>>>>> To get used to samba, I have managed to make samba 3.5
>>>> work as a new
>>>>>>> domain, computers joining it, etc... But since I want a seamless
>>>>>>> migration, I now try to provide enough information to samba 3.5 to
>>>>>>> auth users like the old version.
>>>>>>>
>>>>>>> Currently, I can't achieve to have machine accounts which can be on
>>>>>>> the new domain with the samba root login, without joining
>>>> the domain
>>>>>>> through windows manual procedure.
>>>>>>> The new domain have the same "netbios name", "workgroup",
>>>>>> domain SID,
>>>>>>> local SID. And now the challenge is to fill accounts (users
>>>>>> but first
>>>>>>> workstation/machine) in ldap.
>>>>>>> I have copy and paste every *.tdb file from the old samba to
>>>>>> the new :
>>>>>>> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+
>>>>>> smbpasswd file).
>>>>>>> Moreover, to test everything, I have a computer which have a
>>>>>> ethernet
>>>>>>> interface toward the old working samba, and another one
>>>>>> toward the new
>>>>>>> domain. When I try to switch from the old to the new samba,
>>>>>> I shutdown
>>>>>>> the right interface, unlog and try to log with the root
>>>> login of the
>>>>>>> new samba (I always wait few minutes in order to have the new pdc
>>>>>>> "recognized").
>>>>>>> As I read that someone is able to upgrade his samba seamlessly by
>>>>>>> shutting down computers&   samba (old&   new), then starting
>>>> new samba
>>>>>>> then computers, I have tried each time this procedure. However, I
>>>>>>> don't believe it is the problem : logs are the same if do the
>>>>>>> "shutdown/start" procedure or the simple "unlog/log" procedure.
>>>>>>>
>>>>>>> I put at the end of this mail ldap entries for each step made. So
>>>>>>> first, is the reference of a working machine account (achieved by
>>>>>>> joining manually the "new" domain) [1].
>>>>>>>
>>>>>>> Here are steps I have made:
>>>>>>>
>>>>>>> 1. I'm adding machine account using:
>>>>>>>
>>>>>>> #smbldap-useradd -W machine_account$
>>>>>>>
>>>>>>> Then I provide my machine account the same SID in ldap using:
>>>>>>>
>>>>>>> #pdbedit machine_account$ -U
>>>>>>> S-1-5-21-720590779-4203916555-4014520812-11343
>>>>>>>
>>>>>>> The result is [2], and I can't log with it. Logs tell me something
>>>>>>> like "Workstation machine_account$ doesn't have a
>>>>>> password"... Indeed,
>>>>>>> no sambaNTPassword here !
>>>>>>>
>>>>>>> 2. I want to manually provide sambaNTPassword. Here, no
>>>>>> samba command
>>>>>>> (pdbedit, smpasswd) provides me a way to do it, the only
>>>> way I found
>>>>>>> is to adding it directly into LDAP (ldapadd or mod,...) [3].
>>>>>>>
>>>>>>> As we could pedict, it doesn't work (log as root). Since
>>>>>>> "sambaNTPassword" comes during the manual join procedure,
>>>> it must be
>>>>>>> some kind of exchange between the workstation and the PDC.
>>>>>>>
>>>>>>> 3. The second idea is to import the old passdb backend into the new
>>>>>>> (ldap) using:
>>>>>>>
>>>>>>> #pdbedit -e tdbsam:export.tdb
>>>>>>> on the old PDC, and then on the new PDC:
>>>>>>>
>>>>>>> #pdbedit -i tdbsam:export.tdb
>>>>>>>
>>>>>>> Everything works fine for import/export, giving me [4].
>>>>>> Trying to log
>>>>>>> in with this fails : "Failed to find UNIX account for
>>>> thorin$". If I
>>>>>>> add manually fields needed for a UNIX account (objectClass:
>>>>>>> posixAccount, etc...), it fails on a "credentials check
>>>> fails" (same
>>>>>>> as step 1 when sambaNTPassword were missing).
>>>>>>>
>>>>>>> CONCLUSION:
>>>>>>> In my opinion, it appears that sambaNTPassword is needed for
>>>>>>> workstation authentification and can be provided only by
>>>> joining the
>>>>>>> domain manually (Computer ->   Manage ->   etc...).
>>>>>>>
>>>>>>> Ideas are seriously running out, I find very few stuff about
>>>>>>> sambaNTPassword and particularly about when (during the joining
>>>>>>> process ?), where (is it stored on workstation ? in a samba file ?
>>>>>>> only in the passdb backend ?) and why (security reasons I guess,
>>>>>>> avoiding name spoofing etc...? Not a crucial question).
>>>>>>> Any help would be welcome !
>>>>>>>
>>>>>>>
>>>>>>> REFERENCES LDAP ENTRIES:
>>>>>>>
>>>>>>> [1] Working machine account:
>>>>>>>
>>>>>> ---------------------------------------------------------------
>>>>>> ----------------------------
>>>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>>>> objectClass: top
>>>>>>> objectClass: account
>>>>>>> objectClass: posixAccount
>>>>>>> objectClass: sambaSamAccount
>>>>>>> cn: thorin$
>>>>>>> uid: thorin$
>>>>>>> uidNumber: 1004
>>>>>>> gidNumber: 515
>>>>>>> homeDirectory: /dev/null
>>>>>>> loginShell: /bin/false
>>>>>>> description: Computer
>>>>>>> gecos: Computer
>>>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
>>>>>>> displayName: THORIN$
>>>>>>> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
>>>>>>> sambaPwdLastSet: 1304080571
>>>>>>> sambaAcctFlags: [W          ]
>>>>>>>
>>>>>> ---------------------------------------------------------------
>>>>>> ----------------------------
>>>>>>> [2] Machine account from command #smbldap-useradd -W, with a
>>>>>> corrected
>>>>>>> SID:
>>>>>>>
>>>>>> ---------------------------------------------------------------
>>>>>> ----------------------------
>>>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>>>> cn: thorin$
>>>>>>> uid: thorin$
>>>>>>> uidNumber: 1002
>>>>>>> gidNumber: 515
>>>>>>> homeDirectory: /dev/null
>>>>>>> loginShell: /bin/false
>>>>>>> description: Computer
>>>>>>> gecos: Computer
>>>>>>> objectClass: posixAccount
>>>>>>> objectClass: account
>>>>>>> objectClass: sambaSamAccount
>>>>>>> sambaLogonTime: 0
>>>>>>> sambaLogoffTime: 2147483647
>>>>>>> sambaKickoffTime: 2147483647
>>>>>>> sambaPwdCanChange: 0
>>>>>>> sambaPwdMustChange: 2147483647
>>>>>>> sambaPwdLastSet: 1304078541
>>>>>>> sambaAcctFlags: [W          ]
>>>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>>>> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
>>>>>>> displayName: thorin$
>>>>>>> sambaDomainName: DOMAIN
>>>>>>>
>>>>>> ---------------------------------------------------------------
>>>>>> ----------------------------
>>>>>>> [3] Same as above with a sambaNTPassword field entered
>>>> through LDIF:
>>>>>> ---------------------------------------------------------------
>>>>>> ----------------------------
>>>>>>> // same as above
>>>>>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>>>>>>
>>>>>> ---------------------------------------------------------------
>>>>>> ----------------------------
>>>>>>> [4] Entry from import:
>>>>>>>
>>>>>> ---------------------------------------------------------------
>>>>>> ----------------------------
>>>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>>>> uid: thorin$
>>>>>>>
>>>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>>>> sambaLogonScript: netlogon.bat
>>>>>>> sambaLogonTime: 0
>>>>>>> sambaLogoffTime: 0
>>>>>>> sambaKickoffTime: 0
>>>>>>> sambaPwdCanChange: 1303228739
>>>>>>> sambaPwdMustChange: 2147483647
>>>>>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>>>>>> sambaPasswordHistory:
>>>>>>> 0000000000000000000000000000000000000000000000000000000000000000
>>>>>>> sambaPwdLastSet: 1303228739
>>>>>>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>>>>> sambaAcctFlags: [W          ]
>>>>>>> sambaBadPasswordCount: 0
>>>>>>> sambaBadPasswordTime: 0
>>>>>>>
>>>>>>> objectClass: sambaSamAccount
>>>>>>> objectClass: account
>>>>>>>
>>>>>> ---------------------------------------------------------------
>>>>>> ----------------------------
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>>
>>
>

More information about the samba mailing list