subject:"\[Samba\] Bad passwords from Vampire \/ NT migration"

[Samba] Bad passwords from Vampire / NT migration

2008-10-21 Thread Cooper S. Blake

> I started looking at all the password hashes using pdbedit -Lw, and
> found the following:
>
> * There are no LanMan password hashes (all set to ...)
> * Most machine accounts have neither LanMan nor NT password hashes:
> WS6$:576::
>   :[W  ]:LCT-48D8EC0E:
> * The NT hashes for the user accounts appear to be incorrect.

Can anyone tell me why net rpc samdump gets the correct LM and NT
password hashes, but net rpc vampire gets incorrect hashes?  What's
funny is that vampire seems to produce consistent results, but
they're consistently wrong.

Is it possible that the NT PDC doesn't trust the Samba server so
it gives it bad hashes?

If there was an easy way to update the NT password hashes in the
passdb tdb file then I would do it.  I could import the samdump via
the pdbedit import feature, but then I have to remap SIDs, which I
have been unable to do.  Perhaps using tdbtool I could locate the NT
hash bytes and replace them, but this would be tedious.

Any thoughts?  Suggestions?

thanks,
Cooper
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Bad passwords from Vampire / NT migration

2008-10-15 Thread Cooper S. Blake

I just did a clean install of Fedora 9 onto a Pentium 4 machine.  It is 
actually running SELinux enforcing, but I haven't found any errors related to 
that so far.  It is running Samba 3.2.3-0.20. I am trying to migrate a Windows 
NT 4.0 domain with about 30 users and 30 computers onto a pure Samba setup, 
using Samba as the PDC and tdbsam.



I have read the HOWTO guide extensively, and everything seems to work in the 
beginning.  My smb.conf is shown below in the BDC configuration.  I started 
with no tdbsam database, so I started by creating the root account using 
pdbedit.  I join the domain using net rpc join -S PDC.  No problem.  I setup 
the group maps using by creating a script, as recommended.



Then I run the vampire command:

sudo net rpc vampire -S cls01



At this point I noticed it does not need a password, though the documentation 
says to use -U administrator; I assume it's relying on the machine trust 
account and its BDC membership.  It appears to create all user, workstation, 
and group accounts properly.  The only errors are pertaining to the inability 
to add groups with spaces:



[2008/10/13 23:41:26,  0] groupdb/mapping.c:smb_create_group(215)

  smb_create_group: Running the command `/usr/sbin/groupadd "Account 
Operators"' gave 3



This is okay because I manually created unix groups and mapped them.  Now the 
problem is that apparently all the passwords are coming over incorrectly.  If I 
attempt to promote Linux to PDC and shutdown the old server, workstations can't 
login, and Samba logs show complaints about a machine trust account needing a 
password:



[2008/10/13 22:57:04,  0] rpc_server/srv_netlog_nt.c:get_md4pw(357)

  get_md4pw: Workstation GRADE7-8$: account does not have a password

[2008/10/13 22:57:04,  0] 
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502)

  _netr_ServerAuthenticate2: failed to get machine password for account 
GRADE7-8$: NT_STATUS_LOGON_FAILURE



I started looking at all the password hashes using pdbedit -Lw, and found the 
following:



* There are no LanMan password hashes (all set to ...)

* All machine accounts have neither LanMan nor NT password hashes:

WS6$:576:::[W   
   ]:LCT-48D8EC0E:

* The NT hashes for the user accounts appear to be incorrect.



Otherwise everything looks right.  The account flags look to be correct, and 
they all appear under the CLS domain.  The Logon time field looks correct, 
though the password last set field shows the time of the vampire run.  Group 
membership is correct when using net rpc user info.  When I test the logins by 
using smbclient, in PDC mode, none of the existing passwords work, except the 
root password I created before the vampire.



The weird part is that I ran the net rpc samdump command, and its output all 
appears to be correct!  Almost all accounts besides workstations have LanMan 
password hashes, and I went as far as to verify the NT hashes.  I did this by 
creating a new user (pdbedit -a) and setting the password to what it is on the 
NT DC.  The NT hash is the same as what appears in the samdump output.  
However, all NT hashes are different from what is stored in the tdbsam after 
vampire.


My conclusion is that the samdump appears to be doings its job, but somehow the 
tdbsam is being written incorrectly with respect to password hashes.  It seems 
as though the tdbsam database version is not in sync with the vampire tool, 
though it's odd that there aren't any visible error messages.  Shouldn't the 
LanMan / NT hashes be the same beteween pdbedit and samdump?

thanks,
Cooper



[global]

workgroup = CLS

security = user

passdb backend = tdbsam

domain master = no

wins support = no

domain logons = yes

local master = yes

preferred master = yes

os level = 33



logon path =

logon home = 

add user script = /usr/sbin/useradd "%u" -n -g users -s /bin/false

add user to group script = /usr/sbin/usermod -aG "%g" "%u"

add group script = /usr/sbin/groupadd "%g"

add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d 
/nohome -s /bin/false "%u"

delete user script = /usr/sbin/userdel "%u"

delete group script = /usr/sbin/groupdel "%g"

log file = /var/log/samba/log.%m

max log size = 50



[homes]

comment = Home Directories

browseable = no

writable = yes



[netlogon]

comment = Network Logon Service

path = /var/lib/samba/netlogon

read only = yes


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Bad passwords from Vampire / NT migration

[Samba] Bad passwords from Vampire / NT migration

2 matches

Site Navigation

Mail list logo

Footer information