[Samba] Synchronization problems between Win2k8R2 and samba

Rowland Penny rowlandpenny at googlemail.com
Tue Mar 3 04:56:20 MST 2015

On 03/03/15 11:11, Jean-François Morcillo wrote:
> Hello,
> I have a small test network with a Win2k8R2 DC.
> I've added a samba4 as second DC in this network.
> The join seems to run smoothly.
> But, after the join, this command: ldapsearch -LLL -x -H
> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi  -b
> "dc=test,dc=dom"  "(SAMAccountName=Administrateur)"
> returns some strange results:
> – some attributes like unicodePwd and supplementalCredentials are missing
> – lots of attributes are base64 encoded, example:
>      –description:: Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=
> (for information python
> base64.decodestring('Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=')
> gives 'Compte d\xe2\x80\x99utilisateur d\xe2\x80\x99administration')
> On the 4 tests I did, I always get the same result.
> Is that normal or is something going wrong ?
> Regards

OK, Quite normal, you are dealing with AD now, not Openldap, you could 
try the ldbtools instead:

ldbsearch -H ldap://dc01.example.com -b "DC=example,DC=com" -s sub 
"(SAMAccountName=Administrator)" -UAdministrator
Password for [example\Administrator]:
# record 1
dn: CN=Administrator,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20140812094102.0Z
uSNCreated: 3545
name: Administrator
objectGUID: cec3979c-c005-4047-a5bf-161eb3a1af97
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130523100620000000
primaryGroupID: 513
objectSid: S-1-5-21-2025076216-3455336656-3842161122-500
adminCount: 1
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
userAccountControl: 66048
accountExpires: 0
whenChanged: 20140812105552.0Z
uSNChanged: 3774
distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com

But there are still missing attributes, this is again by design, you 
could try adding the attribute you want:

ldbsearch -H ldap://dc01.example.com -b "DC=example,DC=com" -s sub 
"(SAMAccountName=Administrator)" unicodePwd -UAdministrator
Password for [example\Administrator]:
# record 1
dn: CN=Administrator,CN=Users,DC=example,DC=com

Hmm, still not there, you could try running this on the DC, but you 
would still get the same result, you need to run the command on the DC 
*and* use the path to the ldb file:

ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=example,DC=com" -s 
sub "(SAMAccountName=Administrator)" unicodePwd -UAdministrator
# record 1
dn: CN=Administrator,CN=Users,DC=example,DC=com

Not that it gets you anywhere, you would now have to crack the password 
(and no, that is not a real password)

What I am trying to say is, there are attributes in AD that you need to 
explicitly ask for, some of which you cannot read anyway. Passwords on 
AD need to be changed over port 636 (SSL).


More information about the samba mailing list