I just did a clean install of Fedora 9 onto a Pentium 4 machine. It is
actually running SELinux enforcing, but I haven't found any errors related to
that so far. It is running Samba 3.2.3-0.20. I am trying to migrate a Windows
NT 4.0 domain with about 30 users and 30 computers onto a pure Samba setup,
using Samba as the PDC and tdbsam.
I have read the HOWTO guide extensively, and everything seems to work in the
beginning. My smb.conf is shown below in the BDC configuration. I started
with no tdbsam database, so I started by creating the root account using
pdbedit. I join the domain using net rpc join -S PDC. No problem. I setup
the group maps using by creating a script, as recommended.
Then I run the vampire command:
sudo net rpc vampire -S cls01
At this point I noticed it does not need a password, though the documentation
says to use -U administrator; I assume it's relying on the machine trust
account and its BDC membership. It appears to create all user, workstation,
and group accounts properly. The only errors are pertaining to the inability
to add groups with spaces:
[2008/10/13 23:41:26, 0] groupdb/mapping.c:smb_create_group(215)
smb_create_group: Running the command `/usr/sbin/groupadd "Account
Operators"' gave 3
This is okay because I manually created unix groups and mapped them. Now the
problem is that apparently all the passwords are coming over incorrectly. If I
attempt to promote Linux to PDC and shutdown the old server, workstations can't
login, and Samba logs show complaints about a machine trust account needing a
password:
[2008/10/13 22:57:04, 0] rpc_server/srv_netlog_nt.c:get_md4pw(357)
get_md4pw: Workstation GRADE7-8$: account does not have a password
[2008/10/13 22:57:04, 0]
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502)
_netr_ServerAuthenticate2: failed to get machine password for account
GRADE7-8$: NT_STATUS_LOGON_FAILURE
I started looking at all the password hashes using pdbedit -Lw, and found the
following:
* There are no LanMan password hashes (all set to ...)
* All machine accounts have neither LanMan nor NT password hashes:
WS6$:576:::[W
]:LCT-48D8EC0E:
* The NT hashes for the user accounts appear to be incorrect.
Otherwise everything looks right. The account flags look to be correct, and
they all appear under the CLS domain. The Logon time field looks correct,
though the password last set field shows the time of the vampire run. Group
membership is correct when using net rpc user info. When I test the logins by
using smbclient, in PDC mode, none of the existing passwords work, except the
root password I created before the vampire.
The weird part is that I ran the net rpc samdump command, and its output all
appears to be correct! Almost all accounts besides workstations have LanMan
password hashes, and I went as far as to verify the NT hashes. I did this by
creating a new user (pdbedit -a) and setting the password to what it is on the
NT DC. The NT hash is the same as what appears in the samdump output.
However, all NT hashes are different from what is stored in the tdbsam after
vampire.
My conclusion is that the samdump appears to be doings its job, but somehow the
tdbsam is being written incorrectly with respect to password hashes. It seems
as though the tdbsam database version is not in sync with the vampire tool,
though it's odd that there aren't any visible error messages. Shouldn't the
LanMan / NT hashes be the same beteween pdbedit and samdump?
thanks,
Cooper
[global]
workgroup = CLS
security = user
passdb backend = tdbsam
domain master = no
wins support = no
domain logons = yes
local master = yes
preferred master = yes
os level = 33
logon path =
logon home =
add user script = /usr/sbin/useradd "%u" -n -g users -s /bin/false
add user to group script = /usr/sbin/usermod -aG "%g" "%u"
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d
/nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete group script = /usr/sbin/groupdel "%g"
log file = /var/log/samba/log.%m
max log size = 50
[homes]
comment = Home Directories
browseable = no
writable = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
read only = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba