[Samba] [PATCH] Re: Changing administrator password after Samba4 classic upgrade

Mario Codeniera mario.codeniera at gmail.com
Thu Jan 3 18:09:06 MST 2013 

Thanks so much Andrew, it is working fine.

But when I try to reinstall and recompile without removing the 'root'
account from the OpenLDAP and it doesn't have an error (just for
curiosity), and the root account password is also the administrator
password after migration.

I am on the process of connecting it to the real machine which previously
connected with the DC-Samba3, seems some problem but I have
to re-investigate it  the cause maybe a DNS et al. I don't want to
re-connect (re-establish) it to the Samba4, coz I retain the SID of Samba4
from Samba3.

I used to connect new machine but machines after migration (samba3
machines), at first able to connect because you able to login. But after it
you can't able to see it, I even try administration tools, again as said on
previous paragraph needs to check other causes.




On Sat, Dec 22, 2012 at 2:55 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Thu, 2012-12-20 at 22:55 +1300, Mario Codeniera wrote:
> > I used to upgrade samba3 to samba4 with almost successful with one
> problem,
> > administrator can't access. As administrator, by default it is the only
> > user account that is given full control over the system.
> >
> > My query is how to change the administrator password? we have one account
> > which can join to the samba 4 AD based on the migrated data but the
> problem
> > can't change the administrator or can't alter the domain.
>
> > After that re-run the classic upgrade, and found out that the
> administrator
> > SID was wrong and modified to xxx-500 where xxx domain SID and modified
> > group Administrators because there are other domain SIDs.
> >
> > *- (remove the description, displaying only the last part)
> > -
> > Importing idmap database
> > Importing groups
> > Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
> > groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
> > Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
> > groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
> > Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
> > groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
> > Group already exists sid=S-1-5-32-544, groupname=Administrators
> > existing_groupname=Administrators, Ignoring.
> > Group already exists sid=S-1-5-32-545, groupname=Users
> > existing_groupname=Users, Ignoring.
> > Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
> > groupname=Domain Users existing_groupname=Domain Users, Ignoring.
> > Importing users
> > User 'Administrator' in your existing directory has SID
> > S-1-5-21-1511653421-423844657-761698953-20001, expected it to be
> > S-1-5-21-1511653421-423844657-761698953-500
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> > ProvisioningError: User 'Administrator' in your existing directory does
> not
> > have SID ending in -500
> >   File
> >
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> > line 1318, in run
> >     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
> >   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> > line 889, in upgrade_from_samba3
> >     raise ProvisioningError("User 'Administrator' in your existing
> > directory does not have SID ending in -500")*
> >
> >
> > Finally got this with no errors, but again the administrator can't login
> > even using the kinit. As mentioned above I used to login other user in
> > Windows 7 and run the Windows Remote Administration Tools and able to
> check
> > the data is successfully migrated including administrator (but the
> problem
> > it was changed during upgrading) and I observed in the log see
> highlighted.
> > And every time I run the samba-tool domain classicupgrade, the Admin
> > password: (see other highlighted below) have different values (
> > >0ngHrG~IIMHZ>DhNIP    YOU<AKoN~+wPZ!Am *  * SXJ96re1=zYO*
> *respectively).
>
> This is interesting, as at one point we had logic to not show these
> unused passwords.
>
> I've attached a patch that should do this, let me know if it makes the
> output (which I agree is very, very verbose) clearer.
>
> > *
> > [root at gaara ambot]# /usr/local/samba/bin/samba-tool domain
> classicupgrade
> > --dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
> > --dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
> > /srv/smb.conf
> > Reading smb.conf
>
> What it should have said was 'using the existing admin password of user
> root/administrator'.  So, try the old password, but if neither the old
> password nor the generated one works, you can reset it using 'samba-tool
> user setpassword administrator'
>
> > Thank you, hope someone can give insights on it.
>
> Thanks for your patience with this.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>

More information about the samba mailing list