Hi, compair the working computer ldiff and the not working ldiff. the import ldiff is missing [2] >>>> objectClass: top i dont know if its needed, but you can try it.
if you do getent passwd on the new samba server, does it display your new computer account. Also, i see. in [1] displayName: THORIN$ >>>> uidNumber: 1004 >>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003 and [2] displayName: thorin$ >>>> uidNumber: 1002 >>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343 >>>> sambaLogonTime: 0 >>>> sambaLogoffTime: 2147483647 >>>> sambaKickoffTime: 2147483647 >>>> sambaPwdCanChange: 0 >>>> sambaPwdMustChange: 2147483647 >>>> sambaPwdLastSet: 1304078541 make sure its how you computer name (displayName) is caps and no caps. i'm trying to narrowing down the options here.. Also the computer [2] looks like a new created user, not a computer. is the new computer in the correct OU? smbldap-useradd --help | grep unit -o add the user in the organizational unit (relative to the user suffix. Ex: 'ou=admin,ou=all') ( see user as computer ) also can you try smbldap-useradd -wi machine_account$ and report back te results. Louis >-----Oorspronkelijk bericht----- >Van: Nathan Mahu [mailto:nm...@cyanide-studio.com] >Verzonden: 2011-05-05 18:22 >Aan: L.P.H. van Belle >CC: samba@lists.samba.org >Onderwerp: Re: [Samba] Issue providing seamless migrtion >(3.0.24 to 3.5.6) - sambaNTPassword mystery > >Sum up : still not work. > >Thank you for your attention Louis. > >"After updating the LDAP schema, do not forget to re-index the LDAP >database." - Some Samba-guide > >1. My schema is up to date since my old PDC wasn't using LDAP (but >mysql), the new PDC gave its OpenLDAP a fresh schema (3.5.6). > >2. However, I've tried reindexing after changes made through >raw LDIF. I >think indexes are just made to speed up search in LDAP, but I am so >despair that I tested. >I remade the third procedure described in my original mail : >after each >modification made through ldif, I have reindexed everything >(slapd stop >- slapindex -slapd start). Nothing new : "credential fail". >By the way, I have never seen any site saying "after an ldif >modification, run slapindex". > >Le 05/05/2011 14:38, L.P.H. van Belle a écrit : >> Dit you update your samba.schema in ldap and did you reindex >you ldap database ? >> >> Greetz, >> >> Louis >> >>> -----Oorspronkelijk bericht----- >>> Van: nm...@cyanide-studio.com >>> [mailto:samba-boun...@lists.samba.org] Namens Nathan Mahu >>> Verzonden: 2011-05-05 14:32 >>> Aan: samba@lists.samba.org >>> Onderwerp: Re: [Samba] Issue providing seamless migrtion >>> (3.0.24 to 3.5.6) - sambaNTPassword mystery >>> >>> Still no idea ? >>> Anyone knows about sambaNTPasword ? >>> No one have ever experienced issues doing a seamless migration ? >>> >>> >>> Le 02/05/2011 11:50, Nathan Mahu a écrit : >>>> Hello everyone, >>>> >>>> I am operating a migration of samba from 3.0.24 (mysql >>> passdb backend) >>>> to 3.5.6 (openldap passdb), samba working as a domain >>> controller (PDC) >>>> and file share. The main challenge is to provide a seamless >>> migration >>>> for users. >>>> For this new version, I am using smbldap-tools 0.9.6, nss_ldap, >>>> openldap 2.4. Everything run on FreeBSD 8.2. >>>> >>>> To get used to samba, I have managed to make samba 3.5 >work as a new >>>> domain, computers joining it, etc... But since I want a seamless >>>> migration, I now try to provide enough information to samba 3.5 to >>>> auth users like the old version. >>>> >>>> Currently, I can't achieve to have machine accounts which can be on >>>> the new domain with the samba root login, without joining >the domain >>>> through windows manual procedure. >>>> The new domain have the same "netbios name", "workgroup", >>> domain SID, >>>> local SID. And now the challenge is to fill accounts (users >>> but first >>>> workstation/machine) in ldap. >>>> I have copy and paste every *.tdb file from the old samba to >>> the new : >>>> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+ >>> smbpasswd file). >>>> Moreover, to test everything, I have a computer which have a >>> ethernet >>>> interface toward the old working samba, and another one >>> toward the new >>>> domain. When I try to switch from the old to the new samba, >>> I shutdown >>>> the right interface, unlog and try to log with the root >login of the >>>> new samba (I always wait few minutes in order to have the new pdc >>>> "recognized"). >>>> As I read that someone is able to upgrade his samba seamlessly by >>>> shutting down computers& samba (old& new), then starting >new samba >>>> then computers, I have tried each time this procedure. However, I >>>> don't believe it is the problem : logs are the same if do the >>>> "shutdown/start" procedure or the simple "unlog/log" procedure. >>>> >>>> I put at the end of this mail ldap entries for each step made. So >>>> first, is the reference of a working machine account (achieved by >>>> joining manually the "new" domain) [1]. >>>> >>>> Here are steps I have made: >>>> >>>> 1. I'm adding machine account using: >>>> >>>> #smbldap-useradd -W machine_account$ >>>> >>>> Then I provide my machine account the same SID in ldap using: >>>> >>>> #pdbedit machine_account$ -U >>>> S-1-5-21-720590779-4203916555-4014520812-11343 >>>> >>>> The result is [2], and I can't log with it. Logs tell me something >>>> like "Workstation machine_account$ doesn't have a >>> password"... Indeed, >>>> no sambaNTPassword here ! >>>> >>>> 2. I want to manually provide sambaNTPassword. Here, no >>> samba command >>>> (pdbedit, smpasswd) provides me a way to do it, the only >way I found >>>> is to adding it directly into LDAP (ldapadd or mod,...) [3]. >>>> >>>> As we could pedict, it doesn't work (log as root). Since >>>> "sambaNTPassword" comes during the manual join procedure, >it must be >>>> some kind of exchange between the workstation and the PDC. >>>> >>>> 3. The second idea is to import the old passdb backend into the new >>>> (ldap) using: >>>> >>>> #pdbedit -e tdbsam:export.tdb >>>> on the old PDC, and then on the new PDC: >>>> >>>> #pdbedit -i tdbsam:export.tdb >>>> >>>> Everything works fine for import/export, giving me [4]. >>> Trying to log >>>> in with this fails : "Failed to find UNIX account for >thorin$". If I >>>> add manually fields needed for a UNIX account (objectClass: >>>> posixAccount, etc...), it fails on a "credentials check >fails" (same >>>> as step 1 when sambaNTPassword were missing). >>>> >>>> CONCLUSION: >>>> In my opinion, it appears that sambaNTPassword is needed for >>>> workstation authentification and can be provided only by >joining the >>>> domain manually (Computer -> Manage -> etc...). >>>> >>>> Ideas are seriously running out, I find very few stuff about >>>> sambaNTPassword and particularly about when (during the joining >>>> process ?), where (is it stored on workstation ? in a samba file ? >>>> only in the passdb backend ?) and why (security reasons I guess, >>>> avoiding name spoofing etc...? Not a crucial question). >>>> Any help would be welcome ! >>>> >>>> >>>> REFERENCES LDAP ENTRIES: >>>> >>>> [1] Working machine account: >>>> >>> --------------------------------------------------------------- >>> ---------------------------- >>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com >>>> objectClass: top >>>> objectClass: account >>>> objectClass: posixAccount >>>> objectClass: sambaSamAccount >>>> cn: thorin$ >>>> uid: thorin$ >>>> uidNumber: 1004 >>>> gidNumber: 515 >>>> homeDirectory: /dev/null >>>> loginShell: /bin/false >>>> description: Computer >>>> gecos: Computer >>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003 >>>> displayName: THORIN$ >>>> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2 >>>> sambaPwdLastSet: 1304080571 >>>> sambaAcctFlags: [W ] >>>> >>> --------------------------------------------------------------- >>> ---------------------------- >>>> >>>> [2] Machine account from command #smbldap-useradd -W, with a >>> corrected >>>> SID: >>>> >>> --------------------------------------------------------------- >>> ---------------------------- >>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com >>>> cn: thorin$ >>>> uid: thorin$ >>>> uidNumber: 1002 >>>> gidNumber: 515 >>>> homeDirectory: /dev/null >>>> loginShell: /bin/false >>>> description: Computer >>>> gecos: Computer >>>> objectClass: posixAccount >>>> objectClass: account >>>> objectClass: sambaSamAccount >>>> sambaLogonTime: 0 >>>> sambaLogoffTime: 2147483647 >>>> sambaKickoffTime: 2147483647 >>>> sambaPwdCanChange: 0 >>>> sambaPwdMustChange: 2147483647 >>>> sambaPwdLastSet: 1304078541 >>>> sambaAcctFlags: [W ] >>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343 >>>> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515 >>>> displayName: thorin$ >>>> sambaDomainName: DOMAIN >>>> >>> --------------------------------------------------------------- >>> ---------------------------- >>>> >>>> [3] Same as above with a sambaNTPassword field entered >through LDIF: >>>> >>> --------------------------------------------------------------- >>> ---------------------------- >>>> // same as above >>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B >>>> >>> --------------------------------------------------------------- >>> ---------------------------- >>>> >>>> [4] Entry from import: >>>> >>> --------------------------------------------------------------- >>> ---------------------------- >>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com >>>> uid: thorin$ >>>> >>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343 >>>> sambaLogonScript: netlogon.bat >>>> sambaLogonTime: 0 >>>> sambaLogoffTime: 0 >>>> sambaKickoffTime: 0 >>>> sambaPwdCanChange: 1303228739 >>>> sambaPwdMustChange: 2147483647 >>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B >>>> sambaPasswordHistory: >>>> 0000000000000000000000000000000000000000000000000000000000000000 >>>> sambaPwdLastSet: 1303228739 >>>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >>>> sambaAcctFlags: [W ] >>>> sambaBadPasswordCount: 0 >>>> sambaBadPasswordTime: 0 >>>> >>>> objectClass: sambaSamAccount >>>> objectClass: account >>>> >>> --------------------------------------------------------------- >>> ---------------------------- >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba