Thank you one more time for your help Louis ! But I still fail :-(
### FIRST ANSWER ###
Back to my first mail, the third step (ldif [3]), I was saying "adding
posixAccount object", but I added the "top" object too. That was the
idea : comparing a working ldiff with others and manual tweak of each
fields.
Concerning the "getent passwd", I see every account that have a
"posixAccount" object filled. It works for both automatic & manual add
of the posixAccount part. More precisely, when it misses "posixAccount",
logs tell me about it, when I add it manually (ldif process), it finds
the Unix account.
About "displayName: THORIN$", it is filled when I manually joined the
domain to create the working LDIF. I have tried 2 or 3 times to add it,
but honestly, I think a "displayName" is only a superficial stuff...
Moreover, with a thorin$ account WITHOUT displayName, in samba logs
requests to ldap are made with "THORIN$" and acknowledges with "thorin$
found". It uses cn field, I really don't think displayName is important.
"The [2] ldif looks like a user account". I don't get what makes you
think that. However, users account and machine accounts are really close
in samba. Cn names have a $ for computers, and each time (for [1]to
[3]), it is dn:
uid=thorin$,ou=Computers,dc=domain,dc=com", meaning it is in the right
OU. Accounts added by smbldap-tools go in the right OU according to if
it is a machine or user account.
Finally, "smbldap-useradd -wi machine_account$" makes fails with the
following log : "WORKSTATION secure channel requested but not a
workstation trust account" [...] "failed to get machine password for
account THORIN$ : NT_STATUS_NO_TRUST_SAM_ACCOUNT". Important about this
: LDIF presents flags as [UX] and not the old good machine flag [W]...
I'm not sure trust account stuff is for simple workstation but honestly,
I haven't read much about it.
Le 06/05/2011 09:28, L.P.H. van Belle a écrit :
Hi,
compair the working computer ldiff and the not working ldiff.
the import ldiff is missing
[2]
objectClass: top
i dont know if its needed, but you can try it.
if you do getent passwd on the new samba server, does it display your
new computer account.
Also, i see.
in [1]
displayName: THORIN$
uidNumber: 1004
sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
and [2]
displayName: thorin$
uidNumber: 1002
sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1304078541
make sure its how you computer name (displayName) is caps and no caps.
i'm trying to narrowing down the options here..
Also the computer [2] looks like a new created user, not a computer.
is the new computer in the correct OU?
smbldap-useradd --help | grep unit
-o add the user in the organizational unit (relative to the user
suffix. Ex: 'ou=admin,ou=all')
( see user as computer )
also can you try
smbldap-useradd -wi machine_account$
and report back te results.
Louis
Le 06/05/2011 09:32, L.P.H. van Belle a écrit :
and i found this.
"When migrating an existing machine account, you also have to invoke
smbldap-useradd -a computername$ after creating the account in order to
allow storing of encrypted password into the sambaNTPassword entry."
Louis
### SECOND ANSWER ###
I think it is very like using "smbldap-useradd -W thorin$"... However I
have made some try to create account in two steps, after importing
machine account, either after creating it manually with only -w, etc...
Always fails with the "credential checks" wrong.
Moreover, I found this :
http://www.mail-archive.com/linux-390@vm.marist.edu/msg30492.html
It seems it is possible to enters fields missing (sambaNTPassword) with
simple ldif and make it work. I tried 3 or 4 time with different
approaches (imports machine account, manual create, etc..). SAME ERROR.
I really dont get it. And it really misses some documentation on low
level functionnalities to create some little hacks to be able to proceed
a smealess migration.
-----Oorspronkelijk bericht-----
Van: Nathan Mahu [mailto:nm...@cyanide-studio.com]
Verzonden: 2011-05-05 18:22
Aan: L.P.H. van Belle
CC: samba@lists.samba.org
Onderwerp: Re: [Samba] Issue providing seamless migrtion
(3.0.24 to 3.5.6) - sambaNTPassword mystery
Sum up : still not work.
Thank you for your attention Louis.
"After updating the LDAP schema, do not forget to re-index the LDAP
database." - Some Samba-guide
1. My schema is up to date since my old PDC wasn't using LDAP (but
mysql), the new PDC gave its OpenLDAP a fresh schema (3.5.6).
2. However, I've tried reindexing after changes made through
raw LDIF. I
think indexes are just made to speed up search in LDAP, but I am so
despair that I tested.
I remade the third procedure described in my original mail :
after each
modification made through ldif, I have reindexed everything
(slapd stop
- slapindex -slapd start). Nothing new : "credential fail".
By the way, I have never seen any site saying "after an ldif
modification, run slapindex".
Le 05/05/2011 14:38, L.P.H. van Belle a écrit :
Dit you update your samba.schema in ldap and did you reindex
you ldap database ?
Greetz,
Louis
-----Oorspronkelijk bericht-----
Van: nm...@cyanide-studio.com
[mailto:samba-boun...@lists.samba.org] Namens Nathan Mahu
Verzonden: 2011-05-05 14:32
Aan: samba@lists.samba.org
Onderwerp: Re: [Samba] Issue providing seamless migrtion
(3.0.24 to 3.5.6) - sambaNTPassword mystery
Still no idea ?
Anyone knows about sambaNTPasword ?
No one have ever experienced issues doing a seamless migration ?
Le 02/05/2011 11:50, Nathan Mahu a écrit :
Hello everyone,
I am operating a migration of samba from 3.0.24 (mysql
passdb backend)
to 3.5.6 (openldap passdb), samba working as a domain
controller (PDC)
and file share. The main challenge is to provide a seamless
migration
for users.
For this new version, I am using smbldap-tools 0.9.6, nss_ldap,
openldap 2.4. Everything run on FreeBSD 8.2.
To get used to samba, I have managed to make samba 3.5
work as a new
domain, computers joining it, etc... But since I want a seamless
migration, I now try to provide enough information to samba 3.5 to
auth users like the old version.
Currently, I can't achieve to have machine accounts which can be on
the new domain with the samba root login, without joining
the domain
through windows manual procedure.
The new domain have the same "netbios name", "workgroup",
domain SID,
local SID. And now the challenge is to fill accounts (users
but first
workstation/machine) in ldap.
I have copy and paste every *.tdb file from the old samba to
the new :
/var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+
smbpasswd file).
Moreover, to test everything, I have a computer which have a
ethernet
interface toward the old working samba, and another one
toward the new
domain. When I try to switch from the old to the new samba,
I shutdown
the right interface, unlog and try to log with the root
login of the
new samba (I always wait few minutes in order to have the new pdc
"recognized").
As I read that someone is able to upgrade his samba seamlessly by
shutting down computers& samba (old& new), then starting
new samba
then computers, I have tried each time this procedure. However, I
don't believe it is the problem : logs are the same if do the
"shutdown/start" procedure or the simple "unlog/log" procedure.
I put at the end of this mail ldap entries for each step made. So
first, is the reference of a working machine account (achieved by
joining manually the "new" domain) [1].
Here are steps I have made:
1. I'm adding machine account using:
#smbldap-useradd -W machine_account$
Then I provide my machine account the same SID in ldap using:
#pdbedit machine_account$ -U
S-1-5-21-720590779-4203916555-4014520812-11343
The result is [2], and I can't log with it. Logs tell me something
like "Workstation machine_account$ doesn't have a
password"... Indeed,
no sambaNTPassword here !
2. I want to manually provide sambaNTPassword. Here, no
samba command
(pdbedit, smpasswd) provides me a way to do it, the only
way I found
is to adding it directly into LDAP (ldapadd or mod,...) [3].
As we could pedict, it doesn't work (log as root). Since
"sambaNTPassword" comes during the manual join procedure,
it must be
some kind of exchange between the workstation and the PDC.
3. The second idea is to import the old passdb backend into the new
(ldap) using:
#pdbedit -e tdbsam:export.tdb
on the old PDC, and then on the new PDC:
#pdbedit -i tdbsam:export.tdb
Everything works fine for import/export, giving me [4].
Trying to log
in with this fails : "Failed to find UNIX account for
thorin$". If I
add manually fields needed for a UNIX account (objectClass:
posixAccount, etc...), it fails on a "credentials check
fails" (same
as step 1 when sambaNTPassword were missing).
CONCLUSION:
In my opinion, it appears that sambaNTPassword is needed for
workstation authentification and can be provided only by
joining the
domain manually (Computer -> Manage -> etc...).
Ideas are seriously running out, I find very few stuff about
sambaNTPassword and particularly about when (during the joining
process ?), where (is it stored on workstation ? in a samba file ?
only in the passdb backend ?) and why (security reasons I guess,
avoiding name spoofing etc...? Not a crucial question).
Any help would be welcome !
REFERENCES LDAP ENTRIES:
[1] Working machine account:
---------------------------------------------------------------
----------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
cn: thorin$
uid: thorin$
uidNumber: 1004
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
displayName: THORIN$
sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
sambaPwdLastSet: 1304080571
sambaAcctFlags: [W ]
---------------------------------------------------------------
----------------------------
[2] Machine account from command #smbldap-useradd -W, with a
corrected
SID:
---------------------------------------------------------------
----------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
cn: thorin$
uid: thorin$
uidNumber: 1002
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
objectClass: posixAccount
objectClass: account
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1304078541
sambaAcctFlags: [W ]
sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
displayName: thorin$
sambaDomainName: DOMAIN
---------------------------------------------------------------
----------------------------
[3] Same as above with a sambaNTPassword field entered
through LDIF:
---------------------------------------------------------------
----------------------------
// same as above
sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
---------------------------------------------------------------
----------------------------
[4] Entry from import:
---------------------------------------------------------------
----------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
uid: thorin$
sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
sambaLogonScript: netlogon.bat
sambaLogonTime: 0
sambaLogoffTime: 0
sambaKickoffTime: 0
sambaPwdCanChange: 1303228739
sambaPwdMustChange: 2147483647
sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1303228739
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
sambaAcctFlags: [W ]
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
objectClass: sambaSamAccount
objectClass: account
---------------------------------------------------------------
----------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
