[Samba] Fwd: Migrating server
Harry Jede
walk2sun at arcor.de
Mon Mar 5 11:38:20 UTC 2018
Am Montag, 5. März 2018, 16:51:41 CET schrieb Rob Thoman:
> Hi Harry,
>
> When I install slapd , I didn't get the option to use MDB, so used hdb
OK,
I have reread the thread. Some questions:
Is your old server still running?
Ubuntu, openldap, samba versions on old and new server
I assume your old server use tdbsam and your new server ldapsam.
> I went through your suggestions and cleaned up the smb.conf. Also
> added the unixidpool ldif
>
> dn: sambaDomainName=mydomain,dc=mydomain
> sambaDomainName: mydomain
> sambaSID: S-1-5-21-3936576374-1604348213-1812434911
> sambaAlgorithmicRidBase: 1000
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaNextUserRid: 1000
> sambaMinPwdLength: 5
> sambaPwdHistoryLength: 0
> sambaLogonToChgPwd: 0
> sambaMaxPwdAge: -1
> sambaMinPwdAge: 0
> sambaLockoutDuration: 30
> sambaLockoutObservationWindow: 30
> sambaLockoutThreshold: 0
> sambaForceLogoff: -1
> sambaRefuseMachinePwdChange: 0
> sambaNextRid: 1001
> uidNumber: 10000
> gidNumber: 10000
Fine.
Are the names mydomain your real and wished names,
or are they coming from samdb migration?
>
> When I tried to add a Windows 7 machine to the domain I get " Unknown
> user or wrong password". I was using the "sadmin" login who is in the
> "sudo". I dumped the user's details into a ldif file and imported it
> into ldap. I see the following in the /var/log/samba/log.win7ldap
>
> check_ntlm_password: Checking password for unmapped user
> [mydomain]\[sadmin]@[WIN7LDAP] with the new password interface
> [2018/03/04 11:04:05.007209, 3] auth/auth.c:222(check_ntlm_password)
Indicates that you dont have a valid samba provision. Normal state
after migration. Dont worry, we will fix this.
...
> auth/auth_winbind.c:60(check_winbind_security)
> check_winbind_security: Not using winbind, requested domain
> [mydomain] was for this SAM.
> [2018/03/04 11:04:05.008932, 2] auth/auth.c:319(check_ntlm_password)
> check_ntlm_password: Authentication for user [sadmin] -> [sadmin]
> FAILED with error NT_STATUS_NO_SUCH_USER
As you can see, no winbind operation with a valid admin account,
so no join.
> After a few retries it comes up with "The security database is
> corrupted" message in Window7
Same as above
> The following in /var/log/syslog
>
> sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not
> indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber)
> not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (uid)
> not indexed sam3dom slapd[2600]: <= bdb_equality_candidates:
> (gidNumber) not indexed
Your ldap db is not well indexed. This gives you bad response times,
but ldap should work.
> [2018/03/04 11:12:23.780636, 0]
> auth/check_samsec.c:492(check_sam_security) check_sam_security:
> make_server_info_sam() failed with
> 'NT_STATUS_INTERNAL_DB_CORRUPTION'
The DB may be corrupt or not. Until you have a valid admin account,
any error is possible.
>
>
>
>
> Any thoughts?
1. check your SIDs on both servers
# net getdomainsid
SID for local machine ALIX is: S-1-5-21-1507708399-2130971284-2230424465
SID for domain SCHULE is: S-1-5-21-1507708399-2130971284-2230424465
2. Check on your new server some entrys
become root!!
$ sudo su -
# export SID=S-1-5-21-3936576374-1604348213-1812434911
2.1 check admin
# ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=mydomain -s sub "sambasid=$SID-500" objectclass cn sn uidnumber gidnumber sambaPrimaryGroupSID sambaSID 2>/dev/null
2.2 check domain admins, users and computers
# for s in 512 513 515 ;do ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=mydomain -s sub "sambasid=$SID-$s" 2>/dev/null;done
--
Gruss
Harry Jede
More information about the samba
mailing list