Tomas Lohr
2004-Nov-01 11:16 UTC
[Samba] Machine accounts by migrating from smbpasswd to ldapsam
Hi all,
I'm wondering what about machine accounts (WinXP) by migrating from
Samba 2.2.8 with authentication backend /etc/smbpasswd to Samba 3.0.4
with ldapsam.
Is it possible just to take NT hash from smbpasswd and paste it to
ldap record as sambaNTPassword?
I'm not able to login from machine vs3 to new domain. My
configuration files and log files follow. The Samba-SID is the same
on the old server and on the new server.
How to transport machine accounts from the old backend to the new
without reconnecting machines to the new domain? Do you know where is
the problem?
Thanx for your help
Tomas Lohr
The record from /etc/smbpasswd looks like:
vs3$:501:F74786067472.....3E527018D189760:382721F51C7C.....C9C1E9A81B5
B145:[W ]:LCT-416E659B:
The specific record from ldap looks like:
hp3:/ # ldapsearch -x -D "cn=Manager,dc=moser-glass,dc=com" -W -b
'dc=moser-glass,dc=com' 'cn=vs3$'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=moser-glass,dc=com> with scope sub
# filter: cn=vs3$
# requesting: ALL
#
# VS3$, Computers, moser-glass.com
dn: uid=VS3$,ou=Computers,dc=moser-glass,dc=com
gidNumber: 513
homeDirectory: /dev/null
loginShell: /bin/false
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 0
sambaSID: S-1-5-21-1065381148-2072401369-4150041673-3180
sambaPrimaryGroupSID: S-1-5-21-1065381148-2072401369-4150041673-553
uidNumber: 501
sambaAcctFlags: [W ]
cn: vs3$
sn: vs3$
uid: vs3$
description: Computer VS3
sambaNTPassword: 382721F51C7C.....C9C1E9A81B5B145
sambaLMPassword: F74786067472.....3E527018D189760
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
The samba log /var/log/samba/log.vs3 writes:
[2004/10/29 18:09:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
init_sam_from_ldap: Entry found for user: vs3$
[2004/10/29 18:09:47, 0] rpc_server/srv_netlog_nt.c:get_md4pw(218)
get_md4pw: Workstation VS3$: no account in domain
[2004/10/29 18:09:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
init_sam_from_ldap: Entry found for user: vs3$
[2004/10/29 18:09:47, 0] rpc_server/srv_netlog_nt.c:get_md4pw(218)
get_md4pw: Workstation VS3$: no account in domain
[2004/10/29 18:09:58, 2] smbd/server.c:exit_server(568)
Closing connections
Important part of new /etc/samba/smb.conf:
[global]
server string = hp3
netbios name = HP3
workgroup = MOSERAS
domain master = Yes
preferred master = Yes
domain logons = Yes
dos charset = 852
unix charset = ISO-8859-2
os level = 99
time server = Yes
wins support = yes
name resolve order = wins lmhosts bcast host
max log size = 1000
log file = /var/log/samba/log.%m
log level = 2
syslog = 0
lanman auth = Yes
map acl inherit = Yes
null passwords = No
interfaces = eth0
encrypt passwords = true
winbind use default domain = Yes
passdb backend = ldapsam:ldap://localhost
min password length = 5
ldap admin dn = "cn=Manager,dc=moser-glass,dc=com"
ldap delete dn = No
ldap suffix = dc=moser-glass,dc=com
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap passwd sync = Yes
ldap idmap suffix = ou=Idmap
pam password change = No
idmap gid = 10000-20000
idmap uid = 10000-20000
Tomas Lohr
2004-Nov-08 13:24 UTC
[Samba] Re: Machine accounts by migrating from smbpasswd to ldapsam
Hi, after a few days I found the solution. The problem was in bad SID numbers. The Machine Account in the /etc/smbpasswd vs3$:501:F74786067472.....3E527018D189760:382721F51C7C.....C9C1E9A81BB 145:[W ]:LCT-416E659B: has to be transformed into LDAP directory with the same number: sambaSID=S-1-5-21-1065381148-2072401369-4150041673-501 uidNumber=501 Similar with SID-numbers by User Accounts: rid='2*uidNumber+sambaAlgorithmicRidBase' sambaSID and uidNumber must be changed according to this formula. T. Lohr On 1 Nov 2004 at 12:15, samba@lists.samba.org wrote:> Hi all, > > I'm wondering what about machine accounts (WinXP) by migrating from > Samba 2.2.8 with authentication backend /etc/smbpasswd to Samba 3.0.4 > with ldapsam. > > Is it possible just to take NT hash from smbpasswd and paste it to > ldap record as sambaNTPassword? > > I'm not able to login from machine vs3 to new domain. My > configuration files and log files follow. The Samba-SID is the same on > the old server and on the new server. > > How to transport machine accounts from the old backend to the new > without reconnecting machines to the new domain? Do you know where is > the problem? > > Thanx for your help > Tomas Lohr > > > > The record from /etc/smbpasswd looks like: > > vs3$:501:F74786067472.....3E527018D189760:382721F51C7C.....C9C1E9A81B5 > B145:[W ]:LCT-416E659B: > > The specific record from ldap looks like: > > hp3:/ # ldapsearch -x -D "cn=Manager,dc=moser-glass,dc=com" -W -b > 'dc=moser-glass,dc=com' 'cn=vs3$' > > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=moser-glass,dc=com> with scope sub > # filter: cn=vs3$ > # requesting: ALL > # > > # VS3$, Computers, moser-glass.com > dn: uid=VS3$,ou=Computers,dc=moser-glass,dc=com > gidNumber: 513 > homeDirectory: /dev/null > loginShell: /bin/false > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: sambaSamAccount > sambaPwdLastSet: 0 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaPwdMustChange: 0 > sambaSID: S-1-5-21-1065381148-2072401369-4150041673-3180 > sambaPrimaryGroupSID: S-1-5-21-1065381148-2072401369-4150041673-553 > uidNumber: 501 sambaAcctFlags: [W ] cn: vs3$ sn: vs3$ uid: > vs3$ description: Computer VS3 sambaNTPassword: > 382721F51C7C.....C9C1E9A81B5B145 sambaLMPassword: > F74786067472.....3E527018D189760 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > The samba log /var/log/samba/log.vs3 writes: > > [2004/10/29 18:09:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483) > init_sam_from_ldap: Entry found for user: vs3$ > [2004/10/29 18:09:47, 0] rpc_server/srv_netlog_nt.c:get_md4pw(218) > get_md4pw: Workstation VS3$: no account in domain > [2004/10/29 18:09:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483) > init_sam_from_ldap: Entry found for user: vs3$ > [2004/10/29 18:09:47, 0] rpc_server/srv_netlog_nt.c:get_md4pw(218) > get_md4pw: Workstation VS3$: no account in domain > [2004/10/29 18:09:58, 2] smbd/server.c:exit_server(568) > Closing connections > > > Important part of new /etc/samba/smb.conf: > > [global] > server string = hp3 > netbios name = HP3 > workgroup = MOSERAS > domain master = Yes > preferred master = Yes > domain logons = Yes > dos charset = 852 > unix charset = ISO-8859-2 > os level = 99 > > time server = Yes > wins support = yes > name resolve order = wins lmhosts bcast host > max log size = 1000 > log file = /var/log/samba/log.%m > log level = 2 > syslog = 0 > lanman auth = Yes > map acl inherit = Yes > null passwords = No > interfaces = eth0 > encrypt passwords = true > winbind use default domain = Yes > passdb backend = ldapsam:ldap://localhost > min password length = 5 > > ldap admin dn = "cn=Manager,dc=moser-glass,dc=com" > ldap delete dn = No > ldap suffix = dc=moser-glass,dc=com > ldap machine suffix = ou=Computers > ldap group suffix = ou=Groups > ldap user suffix = ou=People > ldap passwd sync = Yes > ldap idmap suffix = ou=Idmap > pam password change = No > idmap gid = 10000-20000 > idmap uid = 10000-20000 > > >