[Samba] Synchronization problems between Win2k8R2 and samba

Rowland Penny rowlandpenny at googlemail.com
Wed Mar 4 02:31:38 MST 2015 

On 04/03/15 08:45, Jean-François Morcillo wrote:
> Le 03/03/2015 12:56, Rowland Penny a écrit :
>> On 03/03/15 11:11, Jean-François Morcillo wrote:
>>> Hello,
>>>
>>> I have a small test network with a Win2k8R2 DC.
>>>
>>> I've added a samba4 as second DC in this network.
>>> The join seems to run smoothly.
>>>
>>> But, after the join, this command: ldapsearch -LLL -x -H
>>> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi  -b
>>> "dc=test,dc=dom"  "(SAMAccountName=Administrateur)"
>>> returns some strange results:
>>> – some attributes like unicodePwd and supplementalCredentials are
>>> missing
>>> – lots of attributes are base64 encoded, example:
>>>       –description::
>>> Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=
>>> (for information python
>>> base64.decodestring('Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=')
>>>
>>> gives 'Compte d\xe2\x80\x99utilisateur d\xe2\x80\x99administration')
>>>
>>> On the 4 tests I did, I always get the same result.
>>> Is that normal or is something going wrong ?
>>>
>>> Regards
>> OK, Quite normal, you are dealing with AD now, not Openldap, you could
>> try the ldbtools instead:
>>
>> ldbsearch -H ldap://dc01.example.com -b "DC=example,DC=com" -s sub
>> "(SAMAccountName=Administrator)" -UAdministrator
>> Password for [example\Administrator]:
>> # record 1
>> dn: CN=Administrator,CN=Users,DC=example,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Administrator
>> description: Built-in account for administering the computer/domain
>> instanceType: 4
>> whenCreated: 20140812094102.0Z
>> uSNCreated: 3545
>> name: Administrator
>> objectGUID: cec3979c-c005-4047-a5bf-161eb3a1af97
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> pwdLastSet: 130523100620000000
>> primaryGroupID: 513
>> objectSid: S-1-5-21-2025076216-3455336656-3842161122-500
>> adminCount: 1
>> logonCount: 0
>> sAMAccountName: Administrator
>> sAMAccountType: 805306368
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
>> isCriticalSystemObject: TRUE
>> memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
>> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
>> memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
>> memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
>> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
>> userAccountControl: 66048
>> accountExpires: 0
>> whenChanged: 20140812105552.0Z
>> uSNChanged: 3774
>> distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com
>>
>> But there are still missing attributes, this is again by design, you
>> could try adding the attribute you want:
>>
>> ldbsearch -H ldap://dc01.example.com -b "DC=example,DC=com" -s sub
>> "(SAMAccountName=Administrator)" unicodePwd -UAdministrator
>> Password for [example\Administrator]:
>> # record 1
>> dn: CN=Administrator,CN=Users,DC=example,DC=com
>>
>> Hmm, still not there, you could try running this on the DC, but you
>> would still get the same result, you need to run the command on the DC
>> *and* use the path to the ldb file:
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=example,DC=com" -s
>> sub "(SAMAccountName=Administrator)" unicodePwd -UAdministrator
>> # record 1
>> dn: CN=Administrator,CN=Users,DC=example,DC=com
>> unicodePwd:: XnbXXXXXIXZ31WwXXXXYpXXX
>>
>> Not that it gets you anywhere, you would now have to crack the
>> password (and no, that is not a real password)
>>
>> What I am trying to say is, there are attributes in AD that you need
>> to explicitly ask for, some of which you cannot read anyway. Passwords
>> on AD need to be changed over port 636 (SSL).
>>
>> Rowland
> Ok. Thank you very much Rowland, I got it !
>
> In fact I don't really use ldapsearch (it was to explain briefly what
> I'm doing), I'm writing some python code.
> Nevertheless your explanation is fully relevant and, instead of using
> the ldap module from python I'm now using the ldb one (and samdb…) and I
> can get the attributes I need.
>
> Just for information, the python code using the ldap module to query the
> unicodePwd attribute works well if the first DC is samba (i.e. I can
> fetch the unicodePwd attribute) but it stops working if the first DC is
> win2k8 (in both case, I add a samba as a second DC and I run the python
> script on it)
>
> Thanks again
>

Well, as far as I am aware, you shouldn't actually be able to read the 
unicodePwd attribute at all, you can only set it, but you can read it on 
Unix because you are working directly on the ldb file.

Rowland

More information about the samba mailing list