-----Oorspronkelijk bericht-----
Van: nm...@cyanide-studio.com
[mailto:samba-boun...@lists.samba.org] Namens Nathan Mahu
Verzonden: 2011-05-05 14:32
Aan: samba@lists.samba.org
Onderwerp: Re: [Samba] Issue providing seamless migrtion
(3.0.24 to 3.5.6) - sambaNTPassword mystery
Still no idea ?
Anyone knows about sambaNTPasword ?
No one have ever experienced issues doing a seamless migration ?
Le 02/05/2011 11:50, Nathan Mahu a écrit :
Hello everyone,
I am operating a migration of samba from 3.0.24 (mysql
passdb backend)
to 3.5.6 (openldap passdb), samba working as a domain
controller (PDC)
and file share. The main challenge is to provide a seamless
migration
for users.
For this new version, I am using smbldap-tools 0.9.6, nss_ldap,
openldap 2.4. Everything run on FreeBSD 8.2.
To get used to samba, I have managed to make samba 3.5 work as a new
domain, computers joining it, etc... But since I want a seamless
migration, I now try to provide enough information to samba 3.5 to
auth users like the old version.
Currently, I can't achieve to have machine accounts which can be on
the new domain with the samba root login, without joining the domain
through windows manual procedure.
The new domain have the same "netbios name", "workgroup",
domain SID,
local SID. And now the challenge is to fill accounts (users
but first
workstation/machine) in ldap.
I have copy and paste every *.tdb file from the old samba to
the new :
/var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+
smbpasswd file).
Moreover, to test everything, I have a computer which have a
ethernet
interface toward the old working samba, and another one
toward the new
domain. When I try to switch from the old to the new samba,
I shutdown
the right interface, unlog and try to log with the root login of the
new samba (I always wait few minutes in order to have the new pdc
"recognized").
As I read that someone is able to upgrade his samba seamlessly by
shutting down computers& samba (old& new), then starting new samba
then computers, I have tried each time this procedure. However, I
don't believe it is the problem : logs are the same if do the
"shutdown/start" procedure or the simple "unlog/log" procedure.
I put at the end of this mail ldap entries for each step made. So
first, is the reference of a working machine account (achieved by
joining manually the "new" domain) [1].
Here are steps I have made:
1. I'm adding machine account using:
#smbldap-useradd -W machine_account$
Then I provide my machine account the same SID in ldap using:
#pdbedit machine_account$ -U
S-1-5-21-720590779-4203916555-4014520812-11343
The result is [2], and I can't log with it. Logs tell me something
like "Workstation machine_account$ doesn't have a
password"... Indeed,
no sambaNTPassword here !
2. I want to manually provide sambaNTPassword. Here, no
samba command
(pdbedit, smpasswd) provides me a way to do it, the only way I found
is to adding it directly into LDAP (ldapadd or mod,...) [3].
As we could pedict, it doesn't work (log as root). Since
"sambaNTPassword" comes during the manual join procedure, it must be
some kind of exchange between the workstation and the PDC.
3. The second idea is to import the old passdb backend into the new
(ldap) using:
#pdbedit -e tdbsam:export.tdb
on the old PDC, and then on the new PDC:
#pdbedit -i tdbsam:export.tdb
Everything works fine for import/export, giving me [4].
Trying to log
in with this fails : "Failed to find UNIX account for thorin$". If I
add manually fields needed for a UNIX account (objectClass:
posixAccount, etc...), it fails on a "credentials check fails" (same
as step 1 when sambaNTPassword were missing).
CONCLUSION:
In my opinion, it appears that sambaNTPassword is needed for
workstation authentification and can be provided only by joining the
domain manually (Computer -> Manage -> etc...).
Ideas are seriously running out, I find very few stuff about
sambaNTPassword and particularly about when (during the joining
process ?), where (is it stored on workstation ? in a samba file ?
only in the passdb backend ?) and why (security reasons I guess,
avoiding name spoofing etc...? Not a crucial question).
Any help would be welcome !
REFERENCES LDAP ENTRIES:
[1] Working machine account:
---------------------------------------------------------------
----------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
cn: thorin$
uid: thorin$
uidNumber: 1004
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
displayName: THORIN$
sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
sambaPwdLastSet: 1304080571
sambaAcctFlags: [W ]
---------------------------------------------------------------
----------------------------
[2] Machine account from command #smbldap-useradd -W, with a
corrected
SID:
---------------------------------------------------------------
----------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
cn: thorin$
uid: thorin$
uidNumber: 1002
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
objectClass: posixAccount
objectClass: account
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1304078541
sambaAcctFlags: [W ]
sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
displayName: thorin$
sambaDomainName: DOMAIN
---------------------------------------------------------------
----------------------------
[3] Same as above with a sambaNTPassword field entered through LDIF:
---------------------------------------------------------------
----------------------------
// same as above
sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
---------------------------------------------------------------
----------------------------
[4] Entry from import:
---------------------------------------------------------------
----------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
uid: thorin$
sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
sambaLogonScript: netlogon.bat
sambaLogonTime: 0
sambaLogoffTime: 0
sambaKickoffTime: 0
sambaPwdCanChange: 1303228739
sambaPwdMustChange: 2147483647
sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1303228739
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
sambaAcctFlags: [W ]
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
objectClass: sambaSamAccount
objectClass: account
---------------------------------------------------------------
----------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
