[Samba] Fwd: Migrating server
Harry Jede
walk2sun at arcor.de
Mon Mar 5 13:22:13 UTC 2018
Am Montag, 5. März 2018, 22:16:36 CET schrieb Rob Thoman:
> Hi Gruss,
>
> At this stage there is only one server, running 3.6.25 on Ubuntu12.04.
> The plan to get LDAP to work on this one. Then add the second server
> 4.x and the promote it to BDC and then demote this one. Just a side
> info, we didn't want to go tdbsam in both as I read it breaks the
> domain trust.
>
> The domain names are real ones.
>
> I ran the commands you suggested, nothing in reply. I tried ldapi://
> and ldap://sam3dc.mydomain .
you are using ubuntu, which use debian slapd packages, so ldapi must
work. The advantage of ldapi: You can access your ldap server as unix
root user vi sasl external authentication. So this two switches must
be used:
-Y EXTERNAL
-H ldapi:///
3 examples returning only the dn:
very long version (default):
-----
# SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=afrika,dc=xx> with scope subtree
# filter: sambasid=S-1-5-21-1507708399-2130971284-2230424465-500
# requesting: dn
#
# Administrator, people, accounts, afrika.xx
dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-----
short version (without ldif messages):
-----
# SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
-----
very short version (without ldif and sasl messages):
-----
# SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn 2>/dev/null
dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
The last version is best for scripting. The SASL messages show
that the user with uidnumber 0 and gidnumber 0, aka root:root
has been authenticated.
ldap://sam3dc.mydomain must work with -D and -W or -w secret
# SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -xLLL -D uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx -W -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
Enter LDAP Password:
dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
>
> Let me run through what I did ,
> /etc/ldap/ldap.conf:
> BASE dc=mydomain
> URI ldap://sam3dc.mydomain
> TLS_CACERT /etc/ldap/ca_certs.pem
>
> Imported the samba.ldif from the 3.6.25 binaries.
>
> Imported the indices
>
> dn: olcDatabase={1}hdb,cn=config
> changetype: modify
> add: olcDbIndex
> olcDbIndex: ou eq
> olcDbIndex: mail eq
> olcDbIndex: surname eq
> olcDbIndex: givenname eq
> olcDbIndex: loginShell eq
> olcDbIndex: uniqueMember eq,pres
> olcDbIndex: sambaSID eq
> olcDbIndex: sambaPrimaryGroupSID eq
> olcDbIndex: sambaGroupType eq
> olcDbIndex: sambaSIDList eq
> olcDbIndex: sambaDomainName eq
> olcDbIndex: default sub
> olcDbIndex: nisMapName eq
> olcDbIndex: nisMapEntry eq
> add: olcAccess
> olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write by
> self write by * read
> olcAccess: to
> attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChan
> ge by dn="cn=admin,dc=mydomain" write by self write by * none
Here I retrieve the access for openldap as root user.
This works even I dont know the admin password.
# ldapsearch -LLLY External -H ldapi:/// -b cn=config -s sub 'olcaccess=*' olcaccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by anonymous read by * n
one
olcAccess: {2}to * by self write by dn="cn=admin,dc=afrika,dc=xx" write by * r
ead
> Did the certificates, confirmed working
>
> Added the following
> dn: ou=users,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: users
>
> dn: ou=groups,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: groups
>
> dn: ou=idmap,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: idmap
>
> dn: ou=computers,dc=mydomain
> objectClass: top
> objectClass: organizationalUnit
> ou: computers
>
> Added the unixdipool as per your email
>
> cat unixidpool.ldif
>
> dn: sambaDomainName=MYDOMAIN,dc=mydomain
>
> changetype: modify
>
> add: objectclass
>
> objectclass: sambaUnixIdPool
>
> -
>
> add: uidnumber
>
> uidnumber: 10000
>
> -
>
> add: gidnumber
>
> gidnumber: 10000
>
>
> Then smbpasswd -a '' bit.
>
> Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with
> entries from tdb. Then exported the /etc/passwd and /etc/group and
> imported using the migration tool scripts
OK,
even if you can not go through ldapi you have admin access to your
ldap server. So modify the commands I have send you and run them.
You have had a working PDC with tdbsam and then switched to ldapsam
in 2 different ways. "smbldap" and "ldapsam:editposix".
Some possible failures:
- duplicate system accounts, i.e. administrator
- wrong suffices for user, group and/or machines
- wrong idmap config params
Check your secrets.tdb to verify these 3 entrys
# tdbdump secrets.tdb |egrep -v '^data|^}|^{'
key(16) = "SECRETS/SID/ALIX"
key(18) = "SECRETS/SID/SCHULE"
key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=afrika,dc=xx"
The tdbdump utility is in package tdb-tools
--
Gruss
Harry Jede
More information about the samba
mailing list