[Samba] Fwd: Migrating server

Harry Jede walk2sun at arcor.de
Mon Mar 5 13:22:13 UTC 2018 

Am Montag, 5. März 2018, 22:16:36 CET schrieb Rob Thoman:
> Hi Gruss,
> 
> At this stage there is only one server, running 3.6.25 on Ubuntu12.04.
> The plan to get LDAP to work on this one. Then add the second server
> 4.x and the promote it to BDC and then demote this one.  Just a side
> info, we didn't want to go tdbsam in both as I read it breaks the
> domain trust.
> 
> The domain names are real ones.
> 
> I ran the commands you suggested, nothing in reply.  I tried ldapi://
> and ldap://sam3dc.mydomain .
you are using ubuntu, which use debian slapd packages, so ldapi must
 work. The advantage of ldapi: You can access your ldap server as unix
 root user vi sasl external authentication. So this two switches must
 be used:

-Y EXTERNAL
-H ldapi:///

3 examples returning only the dn:

very long version (default):
-----
# SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=afrika,dc=xx> with scope subtree
# filter: sambasid=S-1-5-21-1507708399-2130971284-2230424465-500
# requesting: dn 
#

# Administrator, people, accounts, afrika.xx
dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
-----

short version (without ldif messages):
-----
# SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx

-----
very short version (without ldif and sasl messages):
-----
# SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn 2>/dev/null
dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx

The last version is best for scripting. The SASL messages show
 that the user with uidnumber 0 and gidnumber 0, aka root:root
 has been authenticated.


ldap://sam3dc.mydomain must work with -D and -W or -w secret
# SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -xLLL -D uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx -W -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
Enter LDAP Password: 
dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx


> 
> Let me run through what I did ,
> /etc/ldap/ldap.conf:
> BASE    dc=mydomain
> URI     ldap://sam3dc.mydomain
> TLS_CACERT /etc/ldap/ca_certs.pem
> 
> Imported the samba.ldif from the 3.6.25 binaries.
> 
> Imported the indices
> 
> dn: olcDatabase={1}hdb,cn=config
> changetype: modify
> add: olcDbIndex
> olcDbIndex: ou eq
> olcDbIndex: mail eq
> olcDbIndex: surname eq
> olcDbIndex: givenname eq
> olcDbIndex: loginShell eq
> olcDbIndex: uniqueMember eq,pres
> olcDbIndex: sambaSID eq
> olcDbIndex: sambaPrimaryGroupSID eq
> olcDbIndex: sambaGroupType eq
> olcDbIndex: sambaSIDList eq
> olcDbIndex: sambaDomainName eq
> olcDbIndex: default sub
> olcDbIndex: nisMapName eq
> olcDbIndex: nisMapEntry eq
> add: olcAccess
> olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write by
> self write by * read
> olcAccess: to
> attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChan
> ge by dn="cn=admin,dc=mydomain" write by self write by * none


Here I retrieve the access for openldap as root user.
 This works even I dont know  the admin password.

# ldapsearch -LLLY External -H ldapi:/// -b cn=config -s sub 'olcaccess=*' olcaccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read

dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break

dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by anonymous read by * n
 one
olcAccess: {2}to * by self write by dn="cn=admin,dc=afrika,dc=xx" write by * r
 ead


> Did the certificates, confirmed working
> 
> Added the following
> dn: ou=users,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: users
> 
> dn: ou=groups,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: groups
> 
> dn: ou=idmap,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: idmap
> 
> dn: ou=computers,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: computers
> 
> Added the unixdipool as per your email
> 
> cat unixidpool.ldif
> 
> dn: sambaDomainName=MYDOMAIN,dc=mydomain
> 
> changetype: modify
> 
> add: objectclass
> 
> objectclass: sambaUnixIdPool
> 
> -
> 
> add: uidnumber
> 
> uidnumber: 10000
> 
> -
> 
> add: gidnumber
> 
> gidnumber: 10000
> 
> 
> Then smbpasswd -a '' bit.
> 
> Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with
> entries from tdb. Then exported the /etc/passwd and /etc/group and
> imported using the migration tool scripts

OK,

even if you can not go through ldapi you have admin access to your
 ldap server. So modify the commands I have send you and run them.

You have had a working PDC with tdbsam and then switched to ldapsam
 in 2 different ways. "smbldap" and "ldapsam:editposix".

Some possible failures:
- duplicate system accounts, i.e. administrator
- wrong suffices for user, group and/or machines
- wrong idmap config params

Check your secrets.tdb to verify these 3 entrys
# tdbdump secrets.tdb |egrep -v '^data|^}|^{'
key(16) = "SECRETS/SID/ALIX"
key(18) = "SECRETS/SID/SCHULE"
key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=afrika,dc=xx"

The tdbdump utility is in package tdb-tools


-- 

Gruss
	Harry Jede

More information about the samba mailing list