Dit you update your samba.schema in ldap and did you reindex you ldap database ? Greetz,
Louis >-----Oorspronkelijk bericht----- >Van: [email protected] >[mailto:[email protected]] Namens Nathan Mahu >Verzonden: 2011-05-05 14:32 >Aan: [email protected] >Onderwerp: Re: [Samba] Issue providing seamless migrtion >(3.0.24 to 3.5.6) - sambaNTPassword mystery > >Still no idea ? >Anyone knows about sambaNTPasword ? >No one have ever experienced issues doing a seamless migration ? > > >Le 02/05/2011 11:50, Nathan Mahu a écrit : >> Hello everyone, >> >> I am operating a migration of samba from 3.0.24 (mysql >passdb backend) >> to 3.5.6 (openldap passdb), samba working as a domain >controller (PDC) >> and file share. The main challenge is to provide a seamless >migration >> for users. >> For this new version, I am using smbldap-tools 0.9.6, nss_ldap, >> openldap 2.4. Everything run on FreeBSD 8.2. >> >> To get used to samba, I have managed to make samba 3.5 work as a new >> domain, computers joining it, etc... But since I want a seamless >> migration, I now try to provide enough information to samba 3.5 to >> auth users like the old version. >> >> Currently, I can't achieve to have machine accounts which can be on >> the new domain with the samba root login, without joining the domain >> through windows manual procedure. >> The new domain have the same "netbios name", "workgroup", >domain SID, >> local SID. And now the challenge is to fill accounts (users >but first >> workstation/machine) in ldap. >> I have copy and paste every *.tdb file from the old samba to >the new : >> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+ >smbpasswd file). >> Moreover, to test everything, I have a computer which have a >ethernet >> interface toward the old working samba, and another one >toward the new >> domain. When I try to switch from the old to the new samba, >I shutdown >> the right interface, unlog and try to log with the root login of the >> new samba (I always wait few minutes in order to have the new pdc >> "recognized"). >> As I read that someone is able to upgrade his samba seamlessly by >> shutting down computers & samba (old & new), then starting new samba >> then computers, I have tried each time this procedure. However, I >> don't believe it is the problem : logs are the same if do the >> "shutdown/start" procedure or the simple "unlog/log" procedure. >> >> I put at the end of this mail ldap entries for each step made. So >> first, is the reference of a working machine account (achieved by >> joining manually the "new" domain) [1]. >> >> Here are steps I have made: >> >> 1. I'm adding machine account using: >> >> #smbldap-useradd -W machine_account$ >> >> Then I provide my machine account the same SID in ldap using: >> >> #pdbedit machine_account$ -U >> S-1-5-21-720590779-4203916555-4014520812-11343 >> >> The result is [2], and I can't log with it. Logs tell me something >> like "Workstation machine_account$ doesn't have a >password"... Indeed, >> no sambaNTPassword here ! >> >> 2. I want to manually provide sambaNTPassword. Here, no >samba command >> (pdbedit, smpasswd) provides me a way to do it, the only way I found >> is to adding it directly into LDAP (ldapadd or mod,...) [3]. >> >> As we could pedict, it doesn't work (log as root). Since >> "sambaNTPassword" comes during the manual join procedure, it must be >> some kind of exchange between the workstation and the PDC. >> >> 3. The second idea is to import the old passdb backend into the new >> (ldap) using: >> >> #pdbedit -e tdbsam:export.tdb >> on the old PDC, and then on the new PDC: >> >> #pdbedit -i tdbsam:export.tdb >> >> Everything works fine for import/export, giving me [4]. >Trying to log >> in with this fails : "Failed to find UNIX account for thorin$". If I >> add manually fields needed for a UNIX account (objectClass: >> posixAccount, etc...), it fails on a "credentials check fails" (same >> as step 1 when sambaNTPassword were missing). >> >> CONCLUSION: >> In my opinion, it appears that sambaNTPassword is needed for >> workstation authentification and can be provided only by joining the >> domain manually (Computer -> Manage -> etc...). >> >> Ideas are seriously running out, I find very few stuff about >> sambaNTPassword and particularly about when (during the joining >> process ?), where (is it stored on workstation ? in a samba file ? >> only in the passdb backend ?) and why (security reasons I guess, >> avoiding name spoofing etc...? Not a crucial question). >> Any help would be welcome ! >> >> >> REFERENCES LDAP ENTRIES: >> >> [1] Working machine account: >> >--------------------------------------------------------------- >---------------------------- >> >> dn: uid=thorin$,ou=Computers,dc=domain,dc=com >> objectClass: top >> objectClass: account >> objectClass: posixAccount >> objectClass: sambaSamAccount >> cn: thorin$ >> uid: thorin$ >> uidNumber: 1004 >> gidNumber: 515 >> homeDirectory: /dev/null >> loginShell: /bin/false >> description: Computer >> gecos: Computer >> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003 >> displayName: THORIN$ >> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2 >> sambaPwdLastSet: 1304080571 >> sambaAcctFlags: [W ] >> >--------------------------------------------------------------- >---------------------------- >> >> >> [2] Machine account from command #smbldap-useradd -W, with a >corrected >> SID: >> >--------------------------------------------------------------- >---------------------------- >> >> dn: uid=thorin$,ou=Computers,dc=domain,dc=com >> cn: thorin$ >> uid: thorin$ >> uidNumber: 1002 >> gidNumber: 515 >> homeDirectory: /dev/null >> loginShell: /bin/false >> description: Computer >> gecos: Computer >> objectClass: posixAccount >> objectClass: account >> objectClass: sambaSamAccount >> sambaLogonTime: 0 >> sambaLogoffTime: 2147483647 >> sambaKickoffTime: 2147483647 >> sambaPwdCanChange: 0 >> sambaPwdMustChange: 2147483647 >> sambaPwdLastSet: 1304078541 >> sambaAcctFlags: [W ] >> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343 >> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515 >> displayName: thorin$ >> sambaDomainName: DOMAIN >> >--------------------------------------------------------------- >---------------------------- >> >> >> [3] Same as above with a sambaNTPassword field entered through LDIF: >> >--------------------------------------------------------------- >---------------------------- >> >> // same as above >> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B >> >--------------------------------------------------------------- >---------------------------- >> >> >> [4] Entry from import: >> >--------------------------------------------------------------- >---------------------------- >> >> dn: uid=thorin$,ou=Computers,dc=domain,dc=com >> uid: thorin$ >> >> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343 >> sambaLogonScript: netlogon.bat >> sambaLogonTime: 0 >> sambaLogoffTime: 0 >> sambaKickoffTime: 0 >> sambaPwdCanChange: 1303228739 >> sambaPwdMustChange: 2147483647 >> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B >> sambaPasswordHistory: >> 0000000000000000000000000000000000000000000000000000000000000000 >> sambaPwdLastSet: 1303228739 >> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> sambaAcctFlags: [W ] >> sambaBadPasswordCount: 0 >> sambaBadPasswordTime: 0 >> >> objectClass: sambaSamAccount >> objectClass: account >> >--------------------------------------------------------------- >---------------------------- >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
