[Samba] Machine accounts, Samba 3, NT Domain migration
Problem: Cannot get Windows XP client to logon onto domain when using on the fly machine provisioning Version:SAMBA version 3.0.3-5 OS: Fedora 2 (and other Redhat flavours) Workaround: Change the name of your workstation to ALL BE lower case Notes: Finally Ive cracked this auto machine provisioning issue. Its taken me 4 bloody hours! YOU MUST HAVE lower CASE MACHINE NAMES. They must be completely lower case Can someone in the Samba team please make a note about this Ive not found anything about this on the web anywhere. Paul Thompson -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
On Sat, 2004-03-27 at 17:42, Beast wrote: * Andrew Bartlett [EMAIL PROTECTED] menulis: 'net rpc samdump' should do what you need Wew, it can dump all sam without asking for admin password ;-) Only because it already has a BDC account. However, it always gives segmentation fault error after retrieveing groups. Nevermind, it already get all acounts anyway... I'll try it on client and let you know. Also, net rpc vampire has few advantage over pwdump, it can retrieve groups where pwdump can not. pwdump was a quick hack, from what I understand... I wish i knew this tool before ;-(. However i can confirm that pwdump was able to get 100% of correct account if client is joined recently. Tested on hundreds clients on different domain. Quick hacks can work very well, but my vauge understanding is that it was written to demonstrate that it could be done. We wrote 'net rpc vampire' to do it properly, because we can do it all over the network, just like an NT4 BDC can. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* Andrew Bartlett [EMAIL PROTECTED] menulis: Well, congratulations. most likely you need to rejoin all of your clients before running rpc vampire. After this step is complete, you can then login from client to samba domain without rejoining again. You should *never* have to rejoin clients. Ever. That is the point of a vampired system. If there are situations where you do have to rejoin Andrew, I'd loved to be wrong here, but i'm afraid not. I've just vampiring again using latest smbldap script, but it still has weird results. Here's the summary, comparing pwdump.exe result vs rpc vampire: 1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1 NThash on rpc-Vampire, passwd is different. 2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as LANMANHASH in PWD. 3. No valid hash in PWD (only ), but has valid NTHASH in VMP. 4. Valid PWD, valid VMP and both are same. On rpc-vampire, from total of 638 machine, 448 are only having NTpassword hash entry. Is it ok for machine account to have only one hash? (i can not try it right now because the site is on another city). machines, then this is either a bug, or administrator error (such as not Bug in samba or smb-ldap script? where should I report the bug? having valid machine accounts in /etc/passwd or equiv). I'm afraid not. I've sucessfully migrating hundreds machines, so hopefully I understand what is required ;-) Andrew Bartlett --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Machine accounts, Samba 3, NT Domain migration
On Sat, 2004-03-27 at 00:36, Beast wrote: * Andrew Bartlett [EMAIL PROTECTED] menulis: Well, congratulations. most likely you need to rejoin all of your clients before running rpc vampire. After this step is complete, you can then login from client to samba domain without rejoining again. You should *never* have to rejoin clients. Ever. That is the point of a vampired system. If there are situations where you do have to rejoin Andrew, I'd loved to be wrong here, but i'm afraid not. I've just vampiring again using latest smbldap script, but it still has weird results. Here's the summary, comparing pwdump.exe result vs rpc vampire: 1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1 NThash on rpc-Vampire, passwd is different. 2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as LANMANHASH in PWD. 3. No valid hash in PWD (only ), but has valid NTHASH in VMP. 4. Valid PWD, valid VMP and both are same. On rpc-vampire, from total of 638 machine, 448 are only having NTpassword hash entry. Is it ok for machine account to have only one hash? (i can not try it right now because the site is on another city). Only the NT password matters, except on 3.0.2 and 3.0.2a. Later CVS fixed an issue where the NT password not being present caused a bug (account would be marked disabled). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* Andrew Bartlett [EMAIL PROTECTED] menulis: 1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1 NThash on rpc-Vampire, passwd is different. 2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as LANMANHASH in PWD. 3. No valid hash in PWD (only ), but has valid NTHASH in VMP. 4. Valid PWD, valid VMP and both are same. On rpc-vampire, from total of 638 machine, 448 are only having NTpassword hash entry. Is it ok for machine account to have only one hash? (i can not try it right now because the site is on another city). Only the NT password matters, except on 3.0.2 and 3.0.2a. Later CVS fixed an issue where the NT password not being present caused a bug (account would be marked disabled). 1. In which tools we trust the output? pwdump or rpc vampire? why the output is different? 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN hash? Note: this 'feature' is mark as 'bug' by jerry and has been fixed. Is it safe to have NT hash only on production? http://lists.samba.org/archive/samba/2004-March/082989.html 3. Thanks. Andrew Bartlett --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
On Sat, 2004-03-27 at 13:12, Beast wrote: * Andrew Bartlett [EMAIL PROTECTED] menulis: 1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1 NThash on rpc-Vampire, passwd is different. 2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as LANMANHASH in PWD. 3. No valid hash in PWD (only ), but has valid NTHASH in VMP. 4. Valid PWD, valid VMP and both are same. On rpc-vampire, from total of 638 machine, 448 are only having NTpassword hash entry. Is it ok for machine account to have only one hash? (i can not try it right now because the site is on another city). Only the NT password matters, except on 3.0.2 and 3.0.2a. Later CVS fixed an issue where the NT password not being present caused a bug (account would be marked disabled). 1. In which tools we trust the output? pwdump or rpc vampire? why the output is different? Well, I understand how 'net rpc vampire' functions, and as it makes *exactly* the same calls that an NT BDC makes, I consider it to be the 'correct' output. I have not looked at the pwdump source, nor had any experience using it, so I don't know why it's output would differ. 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN hash? This is correct. Note: this 'feature' is mark as 'bug' by jerry and has been fixed. Is it safe to have NT hash only on production? http://lists.samba.org/archive/samba/2004-March/082989.html It is safe to have NT hash only in production, on versions of Samba the support this, because for many account types (machine accounts in particular, also accounts with strlen(pw) 14) the NT hash is the only valid hash. The practise (on machine accounts) of setting the NT and LM passwords to the same value derives from the need to avoid having a NULL LM password, where that might mean 'all passwords'. Samba no longer makes those assumptions, and has not for a long time, so in the very near future, this will be removed. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* Andrew Bartlett [EMAIL PROTECTED] menulis: 1. In which tools we trust the output? pwdump or rpc vampire? why the output is different? Well, I understand how 'net rpc vampire' functions, and as it makes *exactly* the same calls that an NT BDC makes, I consider it to be the'correct' output. Just a wishes, is it possible to get pwdump.exe version of net rpc vampire? so we can get hashses output without installing full blown of samba and *script? It then up to administrator what to do with the output, this is the cleanest soulution if you already have existing account in ldap. Also, net rpc vampire has few advantage over pwdump, it can retrieve groups where pwdump can not. I have not looked at the pwdump source, nor had any experience using it, so I don't know why it's output would differ. 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN hash? This is correct. Sorry for asking again here, can I use samba 3.0.3pre1? sincei can't use older version of samba. Just to make sure... Note: this 'feature' is mark as 'bug' by jerry and has been fixed. Is it safe to have NT hash only on production? http://lists.samba.org/archive/samba/2004-March/082989.html It is safe to have NT hash only in production, on versions of Samba the support this, because for many account types (machine accounts in particular, also accounts with strlen(pw) 14) the NT hash is the only valid hash. The practise (on machine accounts) of setting the NT and LM passwords to the same value derives from the need to avoid having a NULL LM password, where that might mean 'all passwords'. Samba no longer makes those assumptions, and has not for a long time, so in the very near future, this will be removed. Thanks, you really save my life ;-) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
On Sat, 2004-03-27 at 15:55, Beast wrote: * Andrew Bartlett [EMAIL PROTECTED] menulis: 1. In which tools we trust the output? pwdump or rpc vampire? why the output is different? Well, I understand how 'net rpc vampire' functions, and as it makes *exactly* the same calls that an NT BDC makes, I consider it to be the'correct' output. Just a wishes, is it possible to get pwdump.exe version of net rpc vampire? so we can get hashses output without installing full blown of samba and *script? It then up to administrator what to do with the output, this is the cleanest soulution if you already have existing account in ldap. 'net rpc samdump' should do what you need Also, net rpc vampire has few advantage over pwdump, it can retrieve groups where pwdump can not. pwdump was a quick hack, from what I understand... I have not looked at the pwdump source, nor had any experience using it, so I don't know why it's output would differ. 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN hash? This is correct. Sorry for asking again here, can I use samba 3.0.3pre1? sincei can't use older version of samba. Just to make sure... You can. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* Andrew Bartlett [EMAIL PROTECTED] menulis: 'net rpc samdump' should do what you need Wew, it can dump all sam without asking for admin password ;-) However, it always gives segmentation fault error after retrieveing groups. Nevermind, it already get all acounts anyway... I'll try it on client and let you know. Also, net rpc vampire has few advantage over pwdump, it can retrieve groups where pwdump can not. pwdump was a quick hack, from what I understand... I wish i knew this tool before ;-(. However i can confirm that pwdump was able to get 100% of correct account if client is joined recently. Tested on hundreds clients on different domain. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Machine accounts, Samba 3, NT Domain migration
Greetings everyone I finally succeeded in doing the seemingly most difficult thing, following directions. I got my act together configuring the smb.conf and migrating using net rpc vampire into tdbsam. There are issues with this migration in which computer netbios names which are obviously all uppercase were not being created in /etc/passwd. I put my C cap on and converted the computer names to lowercase before handing them over to the add machine script. When I join a machine to the domain, it works beautifully, but there is a problem with the migrated machine accounts. No machine can log on because its account is not valid on the samba DC. The way I structured my add machine shell script is this: #!/bin/sh str=`/etc/samba/convert $1` useradd -d /dev/null -g machines -s /bin/false -M $str passwd -l $str compname=`echo $str | cut -f1 -d$` smbpasswd -a -m -n $compname I must be doing something unnecessary here for the migrated machine accounts not to work. Can someone throw some light on this? I am sorry if this has already been answered. It must have, but I couldnt find it using any searches that my limited intellect could come up with on the list archives. Appreciate your time. Saqib Ilyas -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* M Saqib Ilyas [EMAIL PROTECTED] nulis: Greetings everyone I finally succeeded in doing the seemingly most difficult thing, following directions. I got my act together configuring the smb.conf and migrating using net rpc vampire into tdbsam. There are issues with this migration in which computer netbios names which are obviously all uppercase were not being created in /etc/passwd. I put my C cap on and converted the computer names to lowercase before handing them over to the add machine script. When I join a machine to the domain, it works beautifully, but there is a problem with the migrated machine accounts. No machine can log on because its account is not valid on the samba DC. The way I structured my add machine shell script is this: #!/bin/sh str=`/etc/samba/convert $1` useradd -d /dev/null -g machines -s /bin/false -M $str passwd -l $str compname=`echo $str | cut -f1 -d$` smbpasswd -a -m -n $compname I must be doing something unnecessary here for the migrated machine accounts not to work. Can someone throw some light on this? I am sorry if this has already been answered. It must have, but I couldnt find it using any searches that my limited intellect could come up with on the list archives. Appreciate your time. Saqib Ilyas Well, congratulations. most likely you need to rejoin all of your clients before running rpc vampire. After this step is complete, you can then login from client to samba domain without rejoining again. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Machine accounts, Samba 3, NT Domain migration
On Sat, 2004-03-20 at 20:02, Beast wrote: * M Saqib Ilyas [EMAIL PROTECTED] nulis: Greetings everyone I finally succeeded in doing the seemingly most difficult thing, following directions. I got my act together configuring the smb.conf and migrating using net rpc vampire into tdbsam. There are issues with this migration in which computer netbios names which are obviously all uppercase were not being created in /etc/passwd. I put my C cap on and converted the computer names to lowercase before handing them over to the add machine script. When I join a machine to the domain, it works beautifully, but there is a problem with the migrated machine accounts. No machine can log on because its account is not valid on the samba DC. The way I structured my add machine shell script is this: #!/bin/sh str=`/etc/samba/convert $1` useradd -d /dev/null -g machines -s /bin/false -M $str passwd -l $str compname=`echo $str | cut -f1 -d$` smbpasswd -a -m -n $compname This looks really suspect, if that was intended to be an 'add user/machine script'. Samba sets the password into tdbsam, the 'add user/machine script' should deal with the posix side only. I must be doing something unnecessary here for the migrated machine accounts not to work. Can someone throw some light on this? I am sorry if this has already been answered. It must have, but I couldnt find it using any searches that my limited intellect could come up with on the list archives. Appreciate your time. Saqib Ilyas Well, congratulations. most likely you need to rejoin all of your clients before running rpc vampire. After this step is complete, you can then login from client to samba domain without rejoining again. You should *never* have to rejoin clients. Ever. That is the point of a vampired system. If there are situations where you do have to rejoin machines, then this is either a bug, or administrator error (such as not having valid machine accounts in /etc/passwd or equiv). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba