[Samba] Synchronization problems between Win2k8R2 and samba

Jean-François Morcillo jfmorcillo at mandriva.com
Wed Mar 4 01:45:21 MST 2015 

Le 03/03/2015 12:56, Rowland Penny a écrit :
> On 03/03/15 11:11, Jean-François Morcillo wrote:
>> Hello,
>>
>> I have a small test network with a Win2k8R2 DC.
>>
>> I've added a samba4 as second DC in this network.
>> The join seems to run smoothly.
>>
>> But, after the join, this command: ldapsearch -LLL -x -H
>> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi  -b
>> "dc=test,dc=dom"  "(SAMAccountName=Administrateur)"
>> returns some strange results:
>> – some attributes like unicodePwd and supplementalCredentials are
>> missing
>> – lots of attributes are base64 encoded, example:
>>      –description::
>> Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=
>> (for information python
>> base64.decodestring('Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=')
>>
>> gives 'Compte d\xe2\x80\x99utilisateur d\xe2\x80\x99administration')
>>
>> On the 4 tests I did, I always get the same result.
>> Is that normal or is something going wrong ?
>>
>> Regards
>
> OK, Quite normal, you are dealing with AD now, not Openldap, you could
> try the ldbtools instead:
>
> ldbsearch -H ldap://dc01.example.com -b "DC=example,DC=com" -s sub
> "(SAMAccountName=Administrator)" -UAdministrator
> Password for [example\Administrator]:
> # record 1
> dn: CN=Administrator,CN=Users,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20140812094102.0Z
> uSNCreated: 3545
> name: Administrator
> objectGUID: cec3979c-c005-4047-a5bf-161eb3a1af97
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 130523100620000000
> primaryGroupID: 513
> objectSid: S-1-5-21-2025076216-3455336656-3842161122-500
> adminCount: 1
> logonCount: 0
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> isCriticalSystemObject: TRUE
> memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
> memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
> userAccountControl: 66048
> accountExpires: 0
> whenChanged: 20140812105552.0Z
> uSNChanged: 3774
> distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com
>
> But there are still missing attributes, this is again by design, you
> could try adding the attribute you want:
>
> ldbsearch -H ldap://dc01.example.com -b "DC=example,DC=com" -s sub
> "(SAMAccountName=Administrator)" unicodePwd -UAdministrator
> Password for [example\Administrator]:
> # record 1
> dn: CN=Administrator,CN=Users,DC=example,DC=com
>
> Hmm, still not there, you could try running this on the DC, but you
> would still get the same result, you need to run the command on the DC
> *and* use the path to the ldb file:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=example,DC=com" -s
> sub "(SAMAccountName=Administrator)" unicodePwd -UAdministrator
> # record 1
> dn: CN=Administrator,CN=Users,DC=example,DC=com
> unicodePwd:: XnbXXXXXIXZ31WwXXXXYpXXX
>
> Not that it gets you anywhere, you would now have to crack the
> password (and no, that is not a real password)
>
> What I am trying to say is, there are attributes in AD that you need
> to explicitly ask for, some of which you cannot read anyway. Passwords
> on AD need to be changed over port 636 (SSL).
>
> Rowland

Ok. Thank you very much Rowland, I got it !

In fact I don't really use ldapsearch (it was to explain briefly what
I'm doing), I'm writing some python code.
Nevertheless your explanation is fully relevant and, instead of using
the ldap module from python I'm now using the ldb one (and samdb…) and I
can get the attributes I need.

Just for information, the python code using the ldap module to query the
unicodePwd attribute works well if the first DC is samba (i.e. I can
fetch the unicodePwd attribute) but it stops working if the first DC is
win2k8 (in both case, I add a samba as a second DC and I run the python
script on it)

Thanks again

-- 

Jean-François

More information about the samba mailing list