[Samba] samba 4.9.5 - joining Samba DC to existing Samba AD failed
Franta Hanzlík
franta at hanzlici.cz
Wed Mar 27 02:50:11 UTC 2019
HOn Tue, 26 Mar 2019 09:29:41 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Tue, 26 Mar 2019 05:18:20 +0100
> Franta Hanzlík <franta at hanzlici.cz> wrote:
>
> > Hi Tim and Rowland, thanks for Your support!
> > I was thinking about e.g. Python 2.7.15 compatibility (as newer Samba
> > versions require Python3), but You are right, here in DB can be
> > problem
> > - first Samba AD DC was created by migrating Samba3 NT4 domain to
> > Samba4 AD cca week ago (using 'samba-tool domain classicupgrade ...',
> > according to Samba Wiki):
> >
> > [root at dc1 samba]# samba-tool dbcheck
> > Checking 701 objects
> > NOTE: old (due to rename or delete) DN string component for
> > lastKnownParent in object CN=RID
> > Set\0ADEL:2df6a1a3-2a54-4385-ae71-5d95b1348310,CN=Deleted
> > Objects,DC=zamecek,DC=home - CN=DC2-LYNX,OU=Domain
> > Controllers,DC=zamecek,DC=home Not fixing old string component
>
> You can ignore lines like that, the '\0ADEL' means it is a deleted
> object and will eventually go away.
>
>
> > > 2. Try dumping the object it's failing on, just to see if there's
> > > anything odd with the objectClass attributes. E.g.
> > > ldbsearch -H ldap://$SERVER -b
> > > 'CN=Administrator,CN=Users,DC=zamecek,DC=home'
> >
> > [root at dc1 samba]# ldbsearch
> > -H /var/lib/samba/private/sam.ldb.d/DC=ZAMECEK,DC=HOME.ldb
> > '(CN=Administrator)'
>
> Do not touch the files found under 'sam.ldb.d', use the 'sam'ldb' file
> instead, or use the 'ldbsearch' as shown, not that it would work for
> what you require, it should have been something like this:
>
> ldbsearch -H ldap://dc4 -UAdministrator -b
> 'CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com' -s base
> nTSecurityDescriptor
>
> Which (after you enter Administrator's password)) should produce
> something like this:
>
> # record 1
> dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
> nTSecurityDescriptor: O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP
> CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;
> ;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1
> 1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O
> A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1
> -aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA
> ;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768
> -00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A
> U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1
> -aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;
> RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0
> 0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf
> 967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58
> d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32
> -561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIIOID;
> RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;
> RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-0
> 0aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-14
> 37-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf
> ;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-902
> 0-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-7
> 9a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID
> ;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28
> ;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-
> 00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1
> 437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f93
> 9;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85
> 4e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6
> d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CII
> D;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e
> 2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;
> RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba
> -0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff
> 4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;R
> PWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f8
> 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-
> 11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
I'm stil confused, there is something I still miss, some joining piece -
'ldbsearch', as You recommended use it, fail with error '-U: unknown option':
[root at dc1 samba]# ldbsearch -H ldap://dc1 -U Administrator -b 'CN=Administrator,CN=Users,DC=zamecek,DC=home' -s base nTSecurityDescriptor
Invalid option -U: unknown option
Usage: ldbsearch <options> <expression> <attrs...>
Usage: [OPTION...]
-H, --url=URL database URL
-b, --basedn=DN base DN
...
Should I use ldapsearch instead?
All I'm able to get is (pointing to 'sam.ldb'):
[root at dc1 samba]# LDB_MODULES_PATH="/usr/lib64/samba/ldb/" ldbsearch -H /var/lib/samba/private/sam.ldb '(CN=Administrator)' nTSecurityDescriptor
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
# record 1
dn: CN=Administrator,CN=Users,DC=zamecek,DC=home
nTSecurityDescriptor: O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP
CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;
;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-1
1d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(O
A;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1
-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(OA
;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768
-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;A
U)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77b5b886-944a-11d1
-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;
RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-0
0aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf
967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58
d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32
-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;CIIOID;
RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;
RU)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-0
0aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-14
37-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf
;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-902
0-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;bc0ac240-7
9a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID
;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28
;RU)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-
00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1
437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f93
9;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85
4e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6
d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CII
D;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e
2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;
RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPLCLORC;;bf967aba
-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff
4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;R
PWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f8
0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-
11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
# Referral
ref: ldap://zamecek.home/CN=Configuration,DC=zamecek,DC=home
# Referral
ref: ldap://zamecek.home/DC=DomainDnsZones,DC=zamecek,DC=home
# Referral
ref: ldap://zamecek.home/DC=ForestDnsZones,DC=zamecek,DC=home
# returned 4 records
# 1 entries
# 3 referrals
or:
[root at dc1 samba]# LDB_MODULES_PATH="/usr/lib64/samba/ldb/" ldbsearch -H /var/lib/samba/private/sam.ldb '(CN=Administrator)'
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
# record 1
dn: CN=Administrator,CN=Users,DC=zamecek,DC=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: posixAccount
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20190227200715.0Z
uSNCreated: 3626
name: Administrator
objectGUID: 17f000a0-dfd2-46a1-a96d-3e6b55438d92
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-9998-9997-9996-500
adminCount: 1
accountExpires: 9223372036854775807
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zamecek,DC=home
isCriticalSystemObject: TRUE
pwdLastSet: 131960948110000000
memberOf: CN=Domain Admins,OU=System_Groups,DC=zamecek,DC=home
memberOf: CN=Schema Admins,OU=System_Groups,DC=zamecek,DC=home
memberOf: CN=Enterprise Admins,OU=System_Groups,DC=zamecek,DC=home
memberOf: CN=Group Policy Creator Owners,OU=System_Groups,DC=zamecek,DC=home
memberOf: CN=Administrators,CN=Builtin,DC=zamecek,DC=home
gidNumber: 1103
uidNumber: 0
loginShell: /bin/bash
unixHomeDirectory: /root
lastLogonTimestamp: 131976602069696270
whenChanged: 20190321164326.0Z
uSNChanged: 9904
lastLogon: 131981261571043650
logonCount: 621
distinguishedName: CN=Administrator,CN=Users,DC=zamecek,DC=home
# Referral
ref: ldap://zamecek.home/CN=Configuration,DC=zamecek,DC=home
# Referral
ref: ldap://zamecek.home/DC=DomainDnsZones,DC=zamecek,DC=home
# Referral
ref: ldap://zamecek.home/DC=ForestDnsZones,DC=zamecek,DC=home
# returned 4 records
# 1 entries
# 3 referrals
It is usable?
> > unicodePwd::
>
> I would change Administrators password, you have given it to the
> world ;-)
Thanks, You are right, but it is one-time password and this network is
not world-accessible. It seems as other problems I have maybe bigger ;)
Franta
More information about the samba
mailing list