Greetings!
I am back to work the vampire migration issues.
It looks like the computers sambaNTPasswords where migrated
correctly but the sambaLMPasswords were not!
And it seems to be Windows 2000 system only uses sambaNTPasswords
while Windows XP systems using more than NTPassword.
For Windows 2000 client, any domain user can login into the system
without any problem.
With Windows XPs and I got he Domain is not Availabe error.
However, they can sign off the domain and rejoin the domain without
problems.
Does Windows XP systems need sambaLMPassword?
Did I narrorwed down the problem a little?
-- Kang
Eric J Bennett [EMAIL PROTECTED]
07/26/2004 08:41 PM
To
Paul Gienger [EMAIL PROTECTED]
cc
Kang Sun [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject
Re: [Samba] Samba/LDAP/PDC Questions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Attempting vampire here when everything else works results in user
accounts being created in the LDAP directory (and with a slight ugly
hackish modification to the idealx smbldap-useradd script, posix
accounts being created) and NTLM password hashes being set in the LDAP
tree, and computer accounts being created *but* here is the catch, the
NTLM password hashes for computer accounts are not created.
So if we think of it as a four step process;
1. Create user accounts *OK*
2. Set user account password hashes *OK*
3. Create Machine accounts *OK*
4. Set Machine account password hashes *FAIL*
Of course I'm not bothering to mention the other stuff that it does
cause it's all a bit of black magic to me, but you get the general idea,
it creates user groups as well and associates the appropriate accounts
with the appropriate groups and handles the Unix UID / GID mapping to
the NT equivalent security information.
I'm trying to get more information on the entire process to provide
debug logs to the samba team et al, but I've just been flat out on other
stuff in the meantime which unfortunately has a higher priority than
this at the moment, but I'll endeavour to get the diagnostic info asap,
if someone else wanted to do it before me though, I assume the
interesting stuff would be;
smbd -d 10 -i smbd.log 21
tcpdump packet capture of traffic between NT PDC and Linux vampire process
strace -f net rpc vampire -S pdc -U administrator%password vampire.log
21
And try to make sure you're not broadcasting your password hashes in
potentially public bug logs. ^^
What I can tell you from looking at the process so far, is that the NT
PDC is *definitely* providing machine account password hashes, it just
appears that whatever samba should be doing with them, it is not.
Best of luck
Regards
Eric J Bennett
Paul Gienger wrote:
| I'm not at all experienced with the vampire command, but I believe it is
| supposed to bring passwords over. Perhaps someone can interject here
| who does know what they're talking about???
|
| (note: bringing back on list from an accidental, i suspect, pm)
|
| Kang Sun wrote:
|
|
| Hello Paul,
|
| I have questions on migration. Some other people like Eric
| Bennet and Mike Brodbelt posted the similar questions. But I cannot
| find a definite answer to this question: would vampiring using
| samba/ldap/smbldap-tools actually migrates passwords at all?
|
| If the add user/machine script from smb.conf is the only
| tool vampiring process is calling, it certainly won't create password.
| Below are the conversation between me and Mike. I hope you can help us.
|
| -- Kang
|
| Kang Sun wrote:
| Hello Mike,
|
| I did similar things and have similar problems.
| I looked at the ldap database, the migration did nothing but get all
| the
| names of users and machines.
| If the smbldap-* scripts are the only things vampire process is
| calling, I
| don't see how would it would get anything else.
|
| Agreed, although when migrating with a tdbsam backend, the vampire
| process will populate the tdbsam with NT passwords and suchlike, but
| also runs the useradd scripts to add the posix users, so I thought that
| there may be some other data that Samba puts into LDAP directly, not
via
| invoking the scripts.
|
| The documentation from John Terpstra's book (available online at
| http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828
)
| suggests that the process should work with an LDAP backend, but I'm
| currently at a loss to see howm and I'm unable to replicate this, even
| on a test network, with various versions of the Idealx smbldap-tools.
It
| doesn't appear to work as advertised at the moment.
|
| After vampiring,
|
| 1. All the computer accounts and user accounts (posixAccount as
| well) are
| created just like being created by by smbldap-useradd, with the
default
| parameters as defined in the smbldap.conf or smbldap_config.pm, eg,
| profiles, logon scripts, etc, user name, etc.
|
| Yes, this seems to work when run from the command line. Vampiring seems
|
