Upgrade leaves an inoperate Administrator account [Was: Upgrade from S3 to a Samba4 DC]
Andrew Bartlett
abartlet at samba.org
Tue Sep 20 09:16:04 MDT 2011
On Mon, 2011-09-19 at 22:20 +0200, Pavel Herrmann wrote:
> On Monday 19 of September 2011 16:03:20 Adam Tauno Williams wrote:
> > Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> > > Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> > >> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> > >>> Quoting Adam Tauno Williams <awilliam at whitemice.org>
> > >>>
> > >>>> Quoting Andrew Bartlett <abartlet at samba.org>:
> > >>>>> The command has also been renamed in preparation for the Samba
> > >>>>> 4.0 alpha 17 release, it is now 'samba domain samba3upgrade'.
> > >>>>
> > >>>> I'm puzzled by how to read that. Does that mean I use the
> > >>>> "samba" program to invoke the upgrade? After a git pull the
> > >>>> previous upgrade script is gone; but the syntax to get the same
> > >>>> functionality doesn't seem obvious.
> > >>>> /opt/s4/sbin/samba domain samba3upgrade --help
> > >>>> doesn't provide any insight.
> > >>>
> > >>> Ah ha! You meant "samba-tool domain samba3upgrade"
> > >>
> > >> smbclient --version
> > >> Version 4.0.0alpha18-GIT-fa5475e
> > >> This works, with one bug. It doesn't generate an Administrator
> > >> password (which the previous script would auto-generate one).
> > >> $ export PATH=$PATH:/opt/s4/bin:/opt/s4/sbin
> > >> $ samba-tool domain samba3upgrade --libdir=/tmp/x /tmp/x/smb.conf
> > >> ....
> > >> Server Role: domain controller
> > >> Hostname: BARBEL
> > >> NetBIOS Domain: BACKBONE
> > >> DNS Domain: micore.us
> > >> DOMAIN SID: S-1-5-21-2037442776-**************
> > >> Admin password: None <<<< ????
> > >> Importing WINS database
> > >> Importing Account policy
> > >> ....
> > >> Which then leaves me puzzled how to set an administrator password.
> > >> "samba-tool domain samba3upgrade --help" doesn't mention a
> > >> parameter to predetermine one.
> > >> "samba-tool user password --username=administrator" prompts for a
> > >> password. Entering a blank password doesn't seem to explicitly
> > >> fail but the operation fails with -
> > >> ERROR: Failed to change password : Connection to SAMR pipe of PDC
> > >> of domain 'BACKBONE' failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> > >
> > > linux-hvej:~ # samba-tool domain samba3upgrade --libdir=/tmp/x
> > > --adminpass=somepassword /tmp/x/smb.conf
> > > Usage: samba-tool domain samba3upgrade [options] <samba3_smb_conf>
> > >
> > > samba-tool: error: no such option: --adminpass
> >
> > I can't get to a working Administrator account.
> >
> > --- set the administrator password with "setpassword"
> >
> > linux-hvej:~ # /opt/s4/sbin/samba-tool user setpassword administrator
> > New Password:
> > Changed password OK
> >
> > --- kinit says my password expired, and can't change it (???)
> >
> > linux-hvej:~ # kinit administrator at MICORE.US
> > Password for administrator at MICORE.US:
> > Password expired. You must change it now.
> > Enter new password:
> > Enter it again:
> > kinit: Password has expired while getting initial credentials4
>
> you can try setting passwords to never expire
>
> samba-tool pwsettings set --max-pwd-age=0
If this is required, it means that the password polices were not
upgraded correctly. This was a bug in earlier versions of this tool,
but I thought it had been fixed.
Adam,
If this is still happening with current GIT, can you get me the ldif of
your domain object? I want to check that the maxPwdAge is is negative
nanoseconds, not positive seconds. (NTTIME vs unix time).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list