Jim Summers wrote:
Mike Cauble wrote:
Jim,
I recently did the same thing, here is what I found:
Hi Mike,
Thanks for the response. Here is what I discovered while testing
this morning:
When I migrated my ldap, some machines couldn't connect even thought
they had an account on the domain. Here are some of the reasons
"sambaPwdLastSet" must have a valid value (ie. 1146061069) I can't
remember but all the date fields ( sambaPwdMustChange,
sambaPwdCanChange) may have to have a valid value
I guess they are valid, they at least match what is in the old ldap.
Some of my "sambaPwdLastSet" fields had 0 as a value and couldn't login
when I gave them a date value that fixed the problem.
check your old ldap machine entries against the new ldap entries
sambaSID, sambaNTPassword must match, make sure sambaAcctFlags has a
[W]
I have compared the values of the attributes and they match.
objectClass: sambaSamAccount - I have seen this discussed as
something that has changed you might want to check this
You might remove and re-add a machine then look at it's ldap entry
and compare with another machine account's old ldap entry.
I did the remove and add process. There were three attributes that
were updated:
sambaPwdCanChange,
sambaPwdLastSet,
sambaNTPassword
and the machine was joined and all is well.
So I am now wondering which or all of these values could I use from
the newly added machine entry and use to update the the rest of my
machine entries? I do not look forward to having to do the remove/add
process for each machine.
From what I have read, the sambaNTPassword is the MD4() of the
password? And I am guessing the password is the password of the admin
that is used when joining the domain?
Which may not be right, because when I look at the NTpassword for
various working machines they are all different, but since I do not
know how the MD4 works it may be the same password just a different
crypt'd value based on some random seed.
I am going to take the value of the NTpassword from my working machine
entry and set it on a non-working entry and see if that machine will
then attach to the domain without having to do the remove/add process.
Do you think this might work? Thoughts / suggestions?
Each machine has or should have a unique password, so substituting
another machine password won't work.
What version of Samba are you running?
What ldap backend are/were you running?
Here is one thing I did.
I have a machine on my network called testmachine$
I created an ldif file like this one below.
This values came from the old ldap
example.ldif
-----------------------
dn: uid=testmachine$,ou=Computers,dc=lufkin,dc=com
changetype: modify
replace: sambaSID
sambaSID: S-1-5-21-2781067772-1786132867-2942848841-15320
dn: uid=testmachine$,ou=Computers,dc=xyzcorp,dc=com
changetype: modify
replace: sambaNTPassword
sambaNTPassword: F6A32EA7F65BBD4199F2C33A3AF2DD66
------------------------
This is the password my machine currently uses.
You will have to delete testmachine$ and then create a machine account
manually for testmachine$.
The sambaNTPassword and the number after the last "-" in the SID should
be different on the account you manually created.
Exmaple:
After creating my machine account manually I now have for testmachine$:
sambaNTPassword: 9B54520D9DD7BEE9A4A3DEDE41412AEB
and a sambaSID: S-1-5-21-2781067772-1786132867-2942848841-2343
I then did an ldapmodify using the above ldif file to change the machine
password and the SID to one that testmachine$ expects.
Make sure sambaPwdLastSet has a value other than "0" and sambaAcctFlags
has a value of "W"
You should be able to log in.
Mike
Thanks again,
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
