[Samba] Provision new domain keeping users and passwords

Jeanderson Soares ssjeanderson at gmail.com
Wed Mar 29 17:31:09 UTC 2017 

Hi, Rowland.


2017-03-29 11:06 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Wed, 29 Mar 2017 17:30:28 +0400
> Mike Lykov via samba <samba at lists.samba.org> wrote:
>
> > 29.03.2017 16:52, Santiago Londoño Mejía via samba пишет:
> > > Hello,
> > > Is this procedure for samba as DC?
> >
> > I'm in doubt about it, it looks like it for old-style NT Domain...
> > Maybe more skiiled people comment it.
> >
>
> I don't think creating a new domain and using the users and passwords
> is going to work.
>
> There are several problems:
>
> Windows identifies the users etc by the RID, but this is to be found at
> the end of the domain SID, so if user 'fred' has the RID 1107 and you
> create a new Samba AD domain and create the user 'fred' with the same
> RID, this would be a different user 'fred', because the SID would be
> different.
>

I created a user 'fred' in the old DC Domain and exported/imported to the
new Domain (using pdbedit) and I was able to login on a windows
machine(member of the new domain)  normally (except that the user account
has expired).

(old dc domain)# pdbedit -v fred
User SID:             S-1-5-21-*3914450021-4001743833-916707020*-45772

(new dc domain)# pdbedit -v fred
User SID:             S-1-5-21-*1365935180-2367880061-2796624718*-45772

The SID really changed. Maybe i can get troubles in the future.


> The users password is stored in an hidden attribute which is supposed
> to be unreadable, but you can read it on a Samba DC, but it is heavily
> encoded. You may be able to obtain some of the users password with
> pdbedit, but can you get them all ?
>

Another way to accomplish this would be by exporting the user NTHASH. And i
can do this for all the users:

(old dc domain)# pdbedit -w fred
fred:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
*A87F3A337D73085C45F9416BE5787D86*:[U          ]:LCT-58DBE291:

(new dc domain)# pdbedit fred --set-nt-hash
*A87F3A337D73085C45F9416BE5787D86*

But you will need to create the user before.


> If you create a new domain, it will be just that, a new domain and you
> will need to join all your machines to it.
>
> Bearing all this in mind, it will probably be easier to obtain a list
> of your users and groups, also get a list of which user
> is a member of which group.
> Create the new domain, add the users, give them a temporary password
> and set the user to change their password at first logon. Add the
> groups and reset the group membership.
> Email the new password to the users and then one weekend, change over
> to the new DC.
>
> That sounds the best way. Thanks for the clarifications!


> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list