samba - Jul 2004 - Migration, which password?

Greetings!

    It is premature for me to send out a "success procedure for
migration"
yesterday. I overlooked things and I appologize for to this group.

    Anyway, after migration, computers, users, groups are all created and
filled up with the correct membership. However, I still have the same
problem with machine password and user password. Further looking into the
detail, it looks like samba/ldap does not use LM/NT password for
authentication but expect userPassword, which I assume is posix account
password and did not exist on the original NT4 server.

   Here is my account entry after the migration:
=====================================================dn:
uid=ksun,ou=Users,dc=ab,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: ksun
sn: ksun
uid: ksun
uidNumber: 1870
gidNumber: 513
homeDirectory: /u/ksun
loginShell: /bin/tcsh
gecos: System User
description: System User
userPassword: {crypt}x
sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
sambaLogonTime: 1090859130
sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
sambaPwdLastSet: 1069686468
sambaAcctFlags: [NU         ]
======================================================
   It looks like the migration does create LM password and NT password.
However, I cannot log in to my account unless I change my password.
This is how my account look like after  "smbldap-passwd ksun" to the
original password:

----------------------------------------------------------------------------
-----
dn: uid=ksun,ou=Users,dc=ab,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: ksun
sn: ksun
uid: ksun
uidNumber: 1870
gidNumber: 513
homeDirectory: /u/ksun
loginShell: /bin/tcsh
gecos: System User
description: System User
sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
sambaLogonTime: 1090859130
sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
sambaAcctFlags: [U]
sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
sambaPwdLastSet: 1090946249
sambaPwdMustChange: 1094834249
userPassword:
{MD5}oL1Na14I3VPzA6/fq8Wx5Q=----------------------------------------------------------------------------
------
    Look at the difference of these two outputs:

+++++++++++++++++++++++++++++++++++++++++++++++
12d11
< userPassword: {crypt}x
16a16
> sambaAcctFlags: [U]
18,19c18,20
< sambaPwdLastSet: 1069686468
< sambaAcctFlags: [NU         ]
---
> sambaPwdLastSet: 1090946249
> sambaPwdMustChange: 1094834249
> userPassword:
{MD5}oL1Na14I3VPzA6/fq8Wx5Q=+++++++++++++++++++++++++++++++++++++++++++++++
   Surprisingly, the neither NT nor LM passwords changed. The different is
the "userPassword", which I assume is the Posix account password,
which does
not exist in the old NT PDC at all! Of course the migration won't have the
right password.

    I do have "ldap passwd sync = Yes" in my smb.conf file, questions
are:
    1. Why samba/ldap authenticate using posix password instead of LM/NT
passwords?
    2. Does it synchronize the userPassord password to the NT/LM password or
the otherway around?
    3. When does the synchronization happens or being triggered?
    4. Is there a way of  manually "copy" the LM/NT password to
userPassword
field?

    The other difference is the change of the sambaAcctFlag: [U    ] instead
of [NU  ]. I wonder if that changes anything.

    Thanks!

-- Kang

Il mar, 2004-07-27 alle 19:22, Kang Sun ha scritto:
> Greetings!
> 
>     It is premature for me to send out a "success procedure for
migration"
> yesterday. I overlooked things and I appologize for to this group.
> 
>     Anyway, after migration, computers, users, groups are all created and
> filled up with the correct membership. However, I still have the same
> problem with machine password and user password. Further looking into the
> detail, it looks like samba/ldap does not use LM/NT password for
> authentication but expect userPassword, which I assume is posix account
> password and did not exist on the original NT4 server.

No, it doesn't.

Your account was disabled by [NU]; When you had modify it by smbldap,
your account flags
changed in [U].

LDAP backend doesn't require unix account, but smbldap-tools does samba
and posix account together.

NT Password is managed by different way; you can't do unixpass->ntpass
and viceversa.

You should do:

# smbpasswd -e userid

and userid will be enable.

# smbpasswd -d userid

and userid will be disable.

regards.

> 
>    Here is my account entry after the migration:
> =====================================================> dn:
uid=ksun,ou=Users,dc=ab,dc=com
> objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
> cn: ksun
> sn: ksun
> uid: ksun
> uidNumber: 1870
> gidNumber: 513
> homeDirectory: /u/ksun
> loginShell: /bin/tcsh
> gecos: System User
> description: System User
> userPassword: {crypt}x
> sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
> sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
> sambaLogonTime: 1090859130
> sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
> sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
> sambaPwdLastSet: 1069686468
> sambaAcctFlags: [NU         ]
> ======================================================> 
>    It looks like the migration does create LM password and NT password.
> However, I cannot log in to my account unless I change my password.
> This is how my account look like after  "smbldap-passwd ksun" to
the
> original password:
> 
>
----------------------------------------------------------------------------
> -----
> dn: uid=ksun,ou=Users,dc=ab,dc=com
> objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
> cn: ksun
> sn: ksun
> uid: ksun
> uidNumber: 1870
> gidNumber: 513
> homeDirectory: /u/ksun
> loginShell: /bin/tcsh
> gecos: System User
> description: System User
> sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
> sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
> sambaLogonTime: 1090859130
> sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
> sambaAcctFlags: [U]
> sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
> sambaPwdLastSet: 1090946249
> sambaPwdMustChange: 1094834249
> userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q=>
----------------------------------------------------------------------------
> ------
>     Look at the difference of these two outputs:
> 
> +++++++++++++++++++++++++++++++++++++++++++++++
> 12d11
> < userPassword: {crypt}x
> 16a16
> > sambaAcctFlags: [U]
> 18,19c18,20
> < sambaPwdLastSet: 1069686468
> < sambaAcctFlags: [NU         ]
> ---
> > sambaPwdLastSet: 1090946249
> > sambaPwdMustChange: 1094834249
> > userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q=>
+++++++++++++++++++++++++++++++++++++++++++++++
>    Surprisingly, the neither NT nor LM passwords changed. The different is
> the "userPassword", which I assume is the Posix account password,
which does
> not exist in the old NT PDC at all! Of course the migration won't have
the
> right password.
> 
>     I do have "ldap passwd sync = Yes" in my smb.conf file,
questions are:
>     1. Why samba/ldap authenticate using posix password instead of LM/NT
> passwords?
>     2. Does it synchronize the userPassord password to the NT/LM password
or
> the otherway around?
>     3. When does the synchronization happens or being triggered?
>     4. Is there a way of  manually "copy" the LM/NT password to
userPassword
> field?
> 
>     The other difference is the change of the sambaAcctFlag: [U    ]
instead
> of [NU  ]. I wonder if that changes anything.
> 
>     Thanks!
> 
> -- Kang
> 
> 
> 
_______________________
Umberto Zanatta
linuxDidattica

tel: +39 (335) 54 71 385
email: umberto.z@tin.it
web: http://linuxdidattica.org
_______________________