[Samba] Changing administrator password after Samba4 classic upgrade

Mario Codeniera mario.codeniera at gmail.com
Thu Dec 20 02:55:03 MST 2012 

I used to upgrade samba3 to samba4 with almost successful with one problem,
administrator can't access. As administrator, by default it is the only
user account that is given full control over the system.

My query is how to change the administrator password? we have one account
which can join to the samba 4 AD based on the migrated data but the problem
can't change the administrator or can't alter the domain.

At first, got a problem on group 'Everyone' and 'root' which then deleted.

*[root at gaara ambot]# /usr/local/samba/bin/samba-tool domain classicupgrade
--dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
--dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
/srv/smb.conf
Reading smb.conf
WARNING: Ignoring invalid value 'cups' for parameter 'printing'
Provisioning
Exporting account policy
Exporting groups
Ignoring group 'Everyone' S-1-1-0 listed but then not found: Unable to
enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Exporting users
  Demoting BDC account trust for naruto-konoha11, this DC must be elevated
to an AD DC using 'samba-tool domain promote'
  Demoting BDC account trust for naruto-kiri4y, this DC must be elevated to
an AD DC using 'samba-tool domain promote'
Ignoring group memberships of 'root'
S-1-5-21-1511653421-423844657-761698953-1000: Unable to enumerate group
memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
  Skipping wellknown rid=501 (for username=nobody)
  Demoting BDC account trust for naruto-kiri, this DC must be elevated to
an AD DC using 'samba-tool domain promote'
Next rid = 105011
- (just remove the description message)
-
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators
existing_groupname=Administrators, Ignoring.
Group already exists sid=S-1-5-32-546, groupname=Guests
existing_groupname=Guests, Ignoring.
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 879, in upgrade_from_samba3
    add_group_from_mapping_entry(result.samdb, g, logger)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 264, in add_group_from_mapping_entry
    str(groupmap.sid), groupmap.nt_name, msg[0]['sAMAccountName'][0])*

After that re-run the classic upgrade, and found out that the administrator
SID was wrong and modified to xxx-500 where xxx domain SID and modified
group Administrators because there are other domain SIDs.

*- (remove the description, displaying only the last part)
-
Importing idmap database
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators
existing_groupname=Administrators, Ignoring.
Group already exists sid=S-1-5-32-545, groupname=Users
existing_groupname=Users, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Importing users
User 'Administrator' in your existing directory has SID
S-1-5-21-1511653421-423844657-761698953-20001, expected it to be
S-1-5-21-1511653421-423844657-761698953-500
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: User 'Administrator' in your existing directory does not
have SID ending in -500
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 889, in upgrade_from_samba3
    raise ProvisioningError("User 'Administrator' in your existing
directory does not have SID ending in -500")*


Finally got this with no errors, but again the administrator can't login
even using the kinit. As mentioned above I used to login other user in
Windows 7 and run the Windows Remote Administration Tools and able to check
the data is successfully migrated including administrator (but the problem
it was changed during upgrading) and I observed in the log see highlighted.
And every time I run the samba-tool domain classicupgrade, the Admin
password: (see other highlighted below) have different values (
>0ngHrG~IIMHZ>DhNIP    YOU<AKoN~+wPZ!Am *  * SXJ96re1=zYO* *respectively).

*
[root at gaara ambot]# /usr/local/samba/bin/samba-tool domain classicupgrade
--dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
--dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
/srv/smb.conf
Reading smb.conf
WARNING: Ignoring invalid value 'cups' for parameter 'printing'
Provisioning
Exporting account policy
Exporting groups
Exporting users
  Demoting BDC account trust for naruto-konoha1, this DC must be elevated
to an AD DC using 'samba-tool domain promote'
  Skipping wellknown rid=500 (for username=administrator)
  Demoting BDC account trust for naruto-kiri, this DC must be elevated to
an AD DC using 'samba-tool domain promote'
Next rid = 105011
Exporting posix attributes
Reading WINS database
Cannot open wins database, Ignoring: [Errno 2] No such file or directory:
'/srv/LiveData/var_lib_samba/samba/wins.dat'
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=kazekage,DC=sura,DC=sandbox,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting acl on sysvol skipped
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=kazekage,DC=sura,DC=sandbox,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Admin password:        SXJ96re1=zYO
Server Role:           active directory domain controller
Hostname:              gaara
NetBIOS Domain:        KAZEKAGE
DNS Domain:            kazekage.sura.sandbox.local
DOMAIN SID:            S-1-5-21-1511653421-423844657-761698953
Importing WINS database
Importing Account policy
Importing idmap database
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-545, groupname=Users
existing_groupname=Users, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Importing users
Adding users to groups*

Thank you, hope someone can give insights on it.

More information about the samba mailing list