[Samba] Fwd: Migrating server

Harry Jede walk2sun at arcor.de
Mon Mar 5 11:38:20 UTC 2018 

Am Montag, 5. März 2018, 16:51:41 CET schrieb Rob Thoman:
> Hi Harry,
> 
> When I install slapd , I didn't get the option to use MDB, so used hdb
OK,
I have reread the thread. Some questions:
Is your old server still running?
Ubuntu, openldap, samba versions on old and new server

I assume your old server use tdbsam and your new server ldapsam.

> I went through your suggestions and cleaned up the smb.conf.  Also
> added the unixidpool ldif
> 
> dn: sambaDomainName=mydomain,dc=mydomain
> sambaDomainName: mydomain
> sambaSID: S-1-5-21-3936576374-1604348213-1812434911
> sambaAlgorithmicRidBase: 1000
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaNextUserRid: 1000
> sambaMinPwdLength: 5
> sambaPwdHistoryLength: 0
> sambaLogonToChgPwd: 0
> sambaMaxPwdAge: -1
> sambaMinPwdAge: 0
> sambaLockoutDuration: 30
> sambaLockoutObservationWindow: 30
> sambaLockoutThreshold: 0
> sambaForceLogoff: -1
> sambaRefuseMachinePwdChange: 0
> sambaNextRid: 1001
> uidNumber: 10000
> gidNumber: 10000

Fine.
Are the names mydomain your real and wished names,
 or are they coming from samdb migration?

> 
> When I tried to add a Windows 7 machine to the domain I get " Unknown
> user or wrong password". I was using the "sadmin" login who is in the
> "sudo". I dumped the user's details into a ldif file and imported it
> into ldap.  I see the following in the /var/log/samba/log.win7ldap
> 
>  check_ntlm_password:  Checking password for unmapped user
> [mydomain]\[sadmin]@[WIN7LDAP] with the new password interface
> [2018/03/04 11:04:05.007209,  3] auth/auth.c:222(check_ntlm_password)
Indicates that you dont have a valid samba provision. Normal state 
after migration. Dont worry, we will fix this.

...

> auth/auth_winbind.c:60(check_winbind_security)
>   check_winbind_security: Not using winbind, requested domain
> [mydomain] was for this SAM.
> [2018/03/04 11:04:05.008932,  2] auth/auth.c:319(check_ntlm_password)
>   check_ntlm_password:  Authentication for user [sadmin] -> [sadmin]
> FAILED with error NT_STATUS_NO_SUCH_USER
As you can see, no winbind operation with a valid admin account,
 so no join.

> After a few retries  it comes up with "The security database is
> corrupted" message in Window7
Same as above
 
> The following in /var/log/syslog
> 
> sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not
> indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber)
> not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (uid)
> not indexed sam3dom slapd[2600]: <= bdb_equality_candidates:
> (gidNumber) not indexed
Your ldap db is not well indexed. This gives you bad response times,
 but ldap should work.
 
> [2018/03/04 11:12:23.780636,  0]
> auth/check_samsec.c:492(check_sam_security) check_sam_security:
> make_server_info_sam() failed with
> 'NT_STATUS_INTERNAL_DB_CORRUPTION'
The DB may be corrupt or not. Until you have a valid admin account,
 any error is possible.

> 
> 
> 
> 
> Any thoughts?
1. check your SIDs on both servers
# net getdomainsid
SID for local machine ALIX is: S-1-5-21-1507708399-2130971284-2230424465
SID for domain SCHULE is: S-1-5-21-1507708399-2130971284-2230424465

2. Check on your new server some entrys
    become root!!
$ sudo su -
# export SID=S-1-5-21-3936576374-1604348213-1812434911

2.1 check admin
#  ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=mydomain -s sub "sambasid=$SID-500" objectclass cn sn uidnumber gidnumber sambaPrimaryGroupSID sambaSID 2>/dev/null

2.2 check domain admins, users and computers
# for s in 512 513 515 ;do ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=mydomain -s sub "sambasid=$SID-$s" 2>/dev/null;done

-- 

Gruss
	Harry Jede

More information about the samba mailing list