[Samba] Replacement pdc samba3 to samba4 nt classic

Gavrilov Aleksey gavrilov at info74.ru
Wed Oct 12 04:58:14 UTC 2016

On 11.10.2016 17:22, Harry Jede via samba wrote:
> Am Dienstag, 11. Oktober 2016 schrieben Sie:
>> On 11.10.2016 13:52, Harry Jede via samba wrote:
>>> On 10:43:49 wrote Gavrilov Aleksey via samba:
>>> Until now, you have destroyed your domain.
>>> Is the ldap directory on localhost in production or is this pc in a
>>> test lab?
>> a copy of the old server ldap
>>>> How do I introduce a new PDC in a domain?
>>> Only *one* PDC per domain is allowed! But one may have dozens of
>>> BDCs and member servers. So, do you have a working PDC?
>> I do not have a working pdc now
>>> Or should the new machine replace an old PDC?
>> yes,it's replacement
>>> What ldap server are in use? Which version?
>> slapd/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
>> file system is damaged  on the old server
>> I was able to restore some files
>> have backups for the old server
>> I'm trying to make a change of PDC
> OK, let us try to restore.
> You may post the following in a private mail.
> Post the out of those commands to give us some infos:
> # the structure of your DIT
> # ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru hasSubordinates=TRUE dn
root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b 
ou=arkhangelsk,dc=rugion,dc=ru hasSubordinates=TRUE dn
dn: ou=arkhangelsk,dc=rugion,dc=ru

dn: ou=users,ou=arkhangelsk,dc=rugion,dc=ru

dn: ou=groups,ou=arkhangelsk,dc=rugion,dc=ru

dn: ou=computers,ou=arkhangelsk,dc=rugion,dc=ru

dn: ou=users.deleted,ou=arkhangelsk,dc=rugion,dc=ru
> # the registered domains
> # ldapsearch -xLLL -H ldapi:/// '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName sambaSID
root at pdc:~# ldapsearch -xLLL -H ldapi:/// 
'(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName sambaSID
No such object (32)

root at pdc:~# ldapsearch -xLLL -H ldapi:/// 
'(objectclass=sambasamaccount)' -b  ou=arkhangelsk,dc=rugion,dc=ru 
sambaacctflags sambaSID
dn: uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaAcctFlags: [U          ]
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-500

dn: uid=admin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1001
sambaAcctFlags: [U          ]

dn: uid=udina,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1110
sambaAcctFlags: [U          ]

dn: uid=bakova,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1007
sambaAcctFlags: [U          ]

dn: uid=nobody,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaAcctFlags: [NUD        ]
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-501

dn: uid=semakov,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1020
sambaAcctFlags: [U          ]

dn: uid=voronin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1129
sambaAcctFlags: [U          ]

dn: uid=chirkova,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1062
sambaAcctFlags: [U          ]

> # the machines and or trust accounts
> # ldapsearch -xLLL -H ldapi:/// '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID
root at pdc:~# ldapsearch -xLLL -H ldapi:/// 
'(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID
No such object (32)

root at pdc:~# ldapsearch -xLLL -H ldapi:/// 
'(&(cn=*$)(objectclass=sambasamaccount))' -b 
ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID
dn: uid=pdc$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1015
sambaAcctFlags: [S          ]

dn: uid=wolf$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1025
sambaAcctFlags: [W          ]

dn: uid=29get$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1086
sambaAcctFlags: [W          ]

> # ls -l /var/lib/samba/
root at pdc:~# ls -l /var/lib/samba/
total 1832
-rw-------  1 root root       421888 Oct  7 16:02 account_policy.tdb
-rw-------  1 root root          696 Oct  6 11:24 group_mapping.tdb
drwxr-xr-x 10 root root         4096 Oct  6 11:24 printers
drwxr-xr-x  3 root root         4096 Oct  7 11:10 private
-rw-------  1 root root       528384 Oct  6 11:24 registry.tdb
-rw-------  1 root root       421888 Oct  6 11:24 share_info.tdb
drwxrwx--T  2 root sambashare   4096 Oct  6 11:24 usershares
-rw-------  1 root root        32768 Oct 11 11:19 winbindd_cache.tdb
-rw-r--r--  1 root root       421888 Oct 10 11:48 winbindd_idmap.tdb
drwxr-x---  2 root root         4096 Oct 11 11:19 winbindd_privileged
-rw-r--r--  1 root root         2496 Oct 12 07:45 wins.dat
-rw-------  1 root root        24576 Oct 12 07:39 wins.tdb

> # cat /etc/nsswitch.conf
root at pdc:~# cat /etc/nsswitch.conf

ethers: db files
group: compat ldap winbind
hosts: files dns
netgroup: nis
networks: files
passwd: compat ldap winbind
protocols: db files
rpc: db files
services: db files
shadow: compat
> # cat /etc/pam_ldap.conf |egrep -v '^#|^$'
root at pdc:~# cat /etc/pam_ldap.conf |egrep -v '^#|^$'
cat: /etc/pam_ldap.conf: No such file or directory

root at pdc:~# cat /etc/ldap.conf |egrep -v '^#|^$'
base                ou=arkhangelsk,dc=rugion,dc=ru
ldap_version        3
port                389
scope               one
timelimit           30
bind_policy         soft
idle_timelimit      3600
pam_password        md5
nss_base_passwd     ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_base_group      ou=groups,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_base_passwd     ou=computers,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_base_shadow     ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_connect_policy  persist
nss_paged_results   yes
pagesize            1000

> # ls -l /etc/pam_ldap.secret
root at pdc:~# ls -l /etc/pam_ldap.secret
ls: cannot access '/etc/pam_ldap.secret': No such file or directory
> # cat /etc/pam.d/common-account|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-account|egrep -v '^#|^$'
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
account requisite                       pam_deny.so
account required                        pam_permit.so

> # cat /etc/pam.d/common-auth|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-auth|egrep -v '^#|^$'
auth    [success=2 default=ignore]      pam_unix.so nullok_secure 
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
> # cat /etc/pam.d/common-password|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-password|egrep -v '^#|^$'
password        requisite                       pam_cracklib.so 
reject_username retry=3 minlen=18 difok=3 maxrepeat=2 minclass=4 
lcredit=0 ucredit=2 dcredit=1 ocredit=1
password        required                        pam_pwhistory.so 
use_authtok enforce_for_root remember=5
password        [success=2 default=ignore]      pam_unix.so obscure 
use_authtok try_first_pass sha512
password        [success=1 user_unknown=ignore default=die] pam_ldap.so 
use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so
> # cat /etc/pam.d/common-session|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-session|egrep -v '^#|^$'
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session required        pam_unix.so
session optional                        pam_ldap.so
session optional        pam_systemd.so


Sincerely, Gavrilov Aleksey
System Administrator
Ltd. "Hearst Shkulev Digital Rugion"
tel .: 8 (351) 729-94-90, ext. 345
mob. +7 999 581 7934
gavrilov at info74.ru
Chelyabinsk, st. Lesoparkovaya , 6, office 308

More information about the samba mailing list