[Samba] Fwd: Migrating server

Tue Mar 6 06:42:23 UTC 2018

Hi Gruss,

Had to ditch the VM and start again. Here is the info:

tdbdump secrets.tdb |egrep -v '^data|^}|^{'
key(21) = "SECRETS/SID/mydomain"
key(18) = "SECRETS/SID/sam3dc"
key(42) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=mydomain"
key(25) = "SECRETS/DOMGUID/mydomain"
key(42) = "SECRETS/MACHINE_SEC_CHANNEL_TYPE/mydomain"
key(42) = "SECRETS/MACHINE_LAST_CHANGE_TIME/mydomain"
key(34) = "SECRETS/MACHINE_PASSWORD/mydomain"

dapsearch -LLLY External -H ldapi:/// -b cn=config -s sub 'olcaccess=*'
olcaccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read

dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break

dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymou
 s auth by dn="cn=admin,dc=mydomain" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain" write by * read
olcAccess: {3}to attrs=loginShell by dn="cn=admin,dc=mydomain" write by self
 write by * read
olcAccess: {4}to
attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPw
 dMustChange by dn="cn=admin,dc=mydomain" write by self write by * none

I don't get the Administrator bit

ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=mydomain -s sub
"sambasid=$SID-500" dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=mydomain> with scope subtree
# filter: sambasid=-500
# requesting: dn
#

# search result
search: 2
result: 0 Success

# numResponses: 1

When I try to add a new user I get the following
root at sam3dc:/var/lib/samba# smbpasswd -a sadmin
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
smbldap_open_connection: connection opened
New SMB password:
Retype new SMB password:
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
init_ldap_from_sam: Setting entry for user: sadmin
ldapsam_create_user: Unable to get the Domain Users gid: bailing out!
Failed to add entry for user sadmin.
-----------------------------------------------

I then created a user (unix) and added to ldap using the following ldif

dn: uid=sadmin,ou=users,dc=mydomain
uid: sadmin
cn: sadmin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:
{crypt}$6$mpuXYy2Z$z336h96CJBNJNZifnts1JK9QqcMdXAZLKxRIiDUuZ9nyDXefOgbFjCe0h4gfpx.0Ug13JSt0NHpLtpE6brXrz/
shadowLastChange: 17594
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/sh
uidNumber: 1359
gidNumber: 1359
homeDirectory: /home/sadmin

Then tried to add machine to the domain.

Mar  5 01:38:59 Dozer5 slapd[5581]: <= bdb_equality_candidates: (uid) not
indexed
Mar  5 01:38:59 Dozer5 slapd[5581]: <= bdb_equality_candidates: (gidNumber)
not indexed
Mar  5 01:38:59 Dozer5 slapd[5581]: <= bdb_equality_candidates: (gidNumber)
not indexed
Mar  5 01:38:59 Dozer5 slapd[5581]: <= bdb_equality_candidates: (uid) not
indexed
Mar  5 01:38:59 Dozer5 slapd[5581]: <= bdb_equality_candidates: (gidNumber)
not indexed

I have the following in the samba logs for that machine

Failed to get groups from sam account.

So basically it is telling me there are issues with groups, fair enough.
What is the best way to get the groups in ldap? I have tried the pdedit -i
tdbsam -e ldapam, also have tried adding it via the migration tools

The other question I would like to ask is what if I remove the following
bit from smb.conf just to test and use smbldap tools to do the user/machine
management?
  ldapsam:editposix = yes
  ldapsam:trusted = yes

I assume I would have to setup the smbldap.conf and smbldap_bind.conf? What
about the perl script in /usr/share/smbladp.pm?

SID="S-1-5-21-2631908330-1812305667-41686038" (SID of the server)
sambaDomain="mydomain"
ldapTLS="0"
suffix="dc=mydomain"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=mydomain,${suffix}"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
userSmbHome="sam3dc\%U"
userProfile="sam3dc\profiles\%U"
smbpasswd="/usr/bin/smbpasswd"
slappasswd="/usr/sbin/slappasswd"

Sorry asking too many questions......

On Mon, Mar 5, 2018 at 11:22 PM, Harry Jede <walk2sun at arcor.de> wrote:

> Am Montag, 5. März 2018, 22:16:36 CET schrieb Rob Thoman:
>
> > Hi Gruss,
>
> >
>
> > At this stage there is only one server, running 3.6.25 on Ubuntu12.04.
>
> > The plan to get LDAP to work on this one. Then add the second server
>
> > 4.x and the promote it to BDC and then demote this one. Just a side
>
> > info, we didn't want to go tdbsam in both as I read it breaks the
>
> > domain trust.
>
> >
>
> > The domain names are real ones.
>
> >
>
> > I ran the commands you suggested, nothing in reply. I tried ldapi://
>
> > and ldap://sam3dc.mydomain .
>
> you are using ubuntu, which use debian slapd packages, so ldapi must
>
> work. The advantage of ldapi: You can access your ldap server as unix
>
> root user vi sasl external authentication. So this two switches must
>
> be used:
>
>
>
> -Y EXTERNAL
>
> -H ldapi:///
>
>
>
> 3 examples returning only the dn:
>
>
>
> very long version (default):
>
> -----
>
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -Y EXTERNAL -H
> ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
>
> SASL/EXTERNAL authentication started
>
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>
> SASL SSF: 0
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <dc=afrika,dc=xx> with scope subtree
>
> # filter: sambasid=S-1-5-21-1507708399-2130971284-2230424465-500
>
> # requesting: dn
>
> #
>
>
>
> # Administrator, people, accounts, afrika.xx
>
> dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
>
>
>
> # search result
>
> search: 2
>
> result: 0 Success
>
>
>
> # numResponses: 2
>
> # numEntries: 1
>
> -----
>
>
>
> short version (without ldif messages):
>
> -----
>
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY EXTERNAL
> -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
>
> SASL/EXTERNAL authentication started
>
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>
> SASL SSF: 0
>
> dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
>
>
>
> -----
>
> very short version (without ldif and sasl messages):
>
> -----
>
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY EXTERNAL
> -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn 2>/dev/null
>
> dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
>
>
>
> The last version is best for scripting. The SASL messages show
>
> that the user with uidnumber 0 and gidnumber 0, aka root:root
>
> has been authenticated.
>
>
>
>
>
> ldap://sam3dc.mydomain must work with -D and -W or -w secret
>
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -xLLL -D
> uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx -W -b
> dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
>
> Enter LDAP Password:
>
> dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
>
>
>
>
>
> >
>
> > Let me run through what I did ,
>
> > /etc/ldap/ldap.conf:
>
> > BASE dc=mydomain
>
> > URI ldap://sam3dc.mydomain
>
> > TLS_CACERT /etc/ldap/ca_certs.pem
>
> >
>
> > Imported the samba.ldif from the 3.6.25 binaries.
>
> >
>
> > Imported the indices
>
> >
>
> > dn: olcDatabase={1}hdb,cn=config
>
> > changetype: modify
>
> > add: olcDbIndex
>
> > olcDbIndex: ou eq
>
> > olcDbIndex: mail eq
>
> > olcDbIndex: surname eq
>
> > olcDbIndex: givenname eq
>
> > olcDbIndex: loginShell eq
>
> > olcDbIndex: uniqueMember eq,pres
>
> > olcDbIndex: sambaSID eq
>
> > olcDbIndex: sambaPrimaryGroupSID eq
>
> > olcDbIndex: sambaGroupType eq
>
> > olcDbIndex: sambaSIDList eq
>
> > olcDbIndex: sambaDomainName eq
>
> > olcDbIndex: default sub
>
> > olcDbIndex: nisMapName eq
>
> > olcDbIndex: nisMapEntry eq
>
> > add: olcAccess
>
> > olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write by
>
> > self write by * read
>
> > olcAccess: to
>
> > attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChan
>
> > ge by dn="cn=admin,dc=mydomain" write by self write by * none
>
>
>
>
>
> Here I retrieve the access for openldap as root user.
>
> This works even I dont know the admin password.
>
>
>
> # ldapsearch -LLLY External -H ldapi:/// -b cn=config -s sub 'olcaccess=*'
> olcaccess
>
> SASL/EXTERNAL authentication started
>
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>
> SASL SSF: 0
>
> dn: olcDatabase={-1}frontend,cn=config
>
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=
> external
>
> ,cn=auth manage by * break
>
> olcAccess: {1}to dn.exact="" by * read
>
> olcAccess: {2}to dn.base="cn=Subschema" by * read
>
>
>
> dn: olcDatabase={0}config,cn=config
>
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=
> external
>
> ,cn=auth manage by * break
>
>
>
> dn: olcDatabase={1}hdb,cn=config
>
> olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
> none
>
> olcAccess: {1}to attrs=shadowLastChange by self write by anonymous read by
> * n
>
> one
>
> olcAccess: {2}to * by self write by dn="cn=admin,dc=afrika,dc=xx" write by
> * r
>
> ead
>
>
>
>
>
> > Did the certificates, confirmed working
>
> >
>
> > Added the following
>
> > dn: ou=users,dc=mydomain
>
> > objectClass: top
>
> > objectClass: organizationalUnit
>
> > ou: users
>
> >
>
> > dn: ou=groups,dc=mydomain
>
> > objectClass: top
>
> > objectClass: organizationalUnit
>
> > ou: groups
>
> >
>
> > dn: ou=idmap,dc=mydomain
>
> > objectClass: top
>
> > objectClass: organizationalUnit
>
> > ou: idmap
>
> >
>
> > dn: ou=computers,dc=mydomain
>
> > objectClass: top
>
> > objectClass: organizationalUnit
>
> > ou: computers
>
> >
>
> > Added the unixdipool as per your email
>
> >
>
> > cat unixidpool.ldif
>
> >
>
> > dn: sambaDomainName=MYDOMAIN,dc=mydomain
>
> >
>
> > changetype: modify
>
> >
>
> > add: objectclass
>
> >
>
> > objectclass: sambaUnixIdPool
>
> >
>
> > -
>
> >
>
> > add: uidnumber
>
> >
>
> > uidnumber: 10000
>
> >
>
> > -
>
> >
>
> > add: gidnumber
>
> >
>
> > gidnumber: 10000
>
> >
>
> >
>
> > Then smbpasswd -a '' bit.
>
> >
>
> > Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with
>
> > entries from tdb. Then exported the /etc/passwd and /etc/group and
>
> > imported using the migration tool scripts
>
>
>
> OK,
>
>
>
> even if you can not go through ldapi you have admin access to your
>
> ldap server. So modify the commands I have send you and run them.
>
>
>
> You have had a working PDC with tdbsam and then switched to ldapsam
>
> in 2 different ways. "smbldap" and "ldapsam:editposix".
>
>
>
> Some possible failures:
>
> - duplicate system accounts, i.e. administrator
>
> - wrong suffices for user, group and/or machines
>
> - wrong idmap config params
>
>
>
> Check your secrets.tdb to verify these 3 entrys
>
> # tdbdump secrets.tdb |egrep -v '^data|^}|^{'
>
> key(16) = "SECRETS/SID/ALIX"
>
> key(18) = "SECRETS/SID/SCHULE"
>
> key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=afrika,dc=xx"
>
>
>
> The tdbdump utility is in package tdb-tools
>
>
>
>
>
> --
>
>
>
> Gruss
>
> Harry Jede
>