samba - Nov 2005 - net rpc vampire - cannot login to migrated computer accounts

Hello experts,

I've migrated our NT4 domain to sambe 3.0.20b/ldap backend with "net
rpc
vampire", and nearly everything works as expected. But one big problem 
remains: it's not possible to login to the domains member maschines now, 
because "the domain is not available at the moment" (translated from 
german). After the maschine rejoined the samba domain, login works. (But 
this is not an option for our ~500 maschines...)

I have looked at the computer account of one maschine after the migration 
and after I rejoined the domain manually. There's a difference:

after "net rpc vampire" migration:

dn: uid=BIT59$,ou=computers,dc=uni-wh,dc=de
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: BIT59$
sn: BIT59$
uid: BIT59$
uidNumber: 22693
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
structuralObjectClass: inetOrgPerson
entryUUID: 4de87562-e740-1029-802b-d5f8fbe677cd
creatorsName: cn=smbldap-tools,ou=DSA,dc=uni-wh,dc=de
createTimestamp: 20051111204849Z
sambaSID: S-1-5-21-1139895982-289624505-398547282-4370
sambaPrimaryGroupSID: S-1-5-21-1139895982-289624505-398547282-515
displayName: BIT59$
sambaLogonTime: 1131741671
sambaNTPassword: 6D4D1F74BA851B7DB9DBCBA966C00AEF
sambaPwdLastSet: 1131727258
sambaAcctFlags: [W          ]
entryCSN: 20051111204858Z#000001#00#000000
modifiersName: cn=samba,ou=DSA,dc=uni-wh,dc=de
modifyTimestamp: 20051111204858Z

Something wrong here?


after the maschine rejoined the domain:

dn: uid=bit59$,ou=computers,dc=uni-wh,dc=de
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: bit59$
sn: bit59$
uid: bit59$
uidNumber: 22694
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
structuralObjectClass: inetOrgPerson
entryUUID: f490cd82-e7b4-1029-8a6d-c4cb6795876f
creatorsName: cn=smbldap-tools,ou=DSA,dc=uni-wh,dc=de
createTimestamp: 20051112104350Z
sambaSID: S-1-5-21-1139895982-289624505-398547282-46388
sambaPrimaryGroupSID: S-1-5-21-1139895982-289624505-398547282-515
displayName: BIT59$
sambaPwdCanChange: 1131878635
sambaPwdMustChange: 1142160235
sambaNTPassword: 22E8E02D746C544A1DB0D183715C2D86
sambaPwdLastSet: 1131792235
sambaAcctFlags: [W          ]
entryCSN: 20051112104358Z#000001#00#000000
modifiersName: cn=samba,ou=DSA,dc=uni-wh,dc=de
modifyTimestamp: 20051112104358Z

Obviously the "sambaPwdCanChange" and "sambaPwdMustChange"
attributes are
missing in the computer account after migration. Could this cause the 
problem or do I search at the wrong place?

Thanks in advance for your support!

Christoph

On Sat, 2005-11-12 at 15:32 +0100, Christoph Peus wrote:
> Hello experts,
> 
> I've migrated our NT4 domain to sambe 3.0.20b/ldap backend with
"net rpc
> vampire", and nearly everything works as expected. But one big problem
> remains: it's not possible to login to the domains member maschines
now,
> because "the domain is not available at the moment" (translated
from
> german). After the maschine rejoined the samba domain, login works. (But 
> this is not an option for our ~500 maschines...)
> 
> I have looked at the computer account of one maschine after the migration 
> and after I rejoined the domain manually. There's a difference:
> 
> after "net rpc vampire" migration:
> 
> dn: uid=BIT59$,ou=computers,dc=uni-wh,dc=de
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: sambaSamAccount
> cn: BIT59$
> sn: BIT59$
> uid: BIT59$
> uidNumber: 22693
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> structuralObjectClass: inetOrgPerson
> entryUUID: 4de87562-e740-1029-802b-d5f8fbe677cd
> creatorsName: cn=smbldap-tools,ou=DSA,dc=uni-wh,dc=de
> createTimestamp: 20051111204849Z
> sambaSID: S-1-5-21-1139895982-289624505-398547282-4370
> sambaPrimaryGroupSID: S-1-5-21-1139895982-289624505-398547282-515
> displayName: BIT59$
> sambaLogonTime: 1131741671
> sambaNTPassword: 6D4D1F74BA851B7DB9DBCBA966C00AEF
> sambaPwdLastSet: 1131727258
> sambaAcctFlags: [W          ]
> entryCSN: 20051111204858Z#000001#00#000000
> modifiersName: cn=samba,ou=DSA,dc=uni-wh,dc=de
> modifyTimestamp: 20051111204858Z
> 
> Something wrong here?
> 
> 
> after the maschine rejoined the domain:
> 
> dn: uid=bit59$,ou=computers,dc=uni-wh,dc=de
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: sambaSamAccount
> cn: bit59$
> sn: bit59$
> uid: bit59$
> uidNumber: 22694
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> structuralObjectClass: inetOrgPerson
> entryUUID: f490cd82-e7b4-1029-8a6d-c4cb6795876f
> creatorsName: cn=smbldap-tools,ou=DSA,dc=uni-wh,dc=de
> createTimestamp: 20051112104350Z
> sambaSID: S-1-5-21-1139895982-289624505-398547282-46388
> sambaPrimaryGroupSID: S-1-5-21-1139895982-289624505-398547282-515
> displayName: BIT59$
> sambaPwdCanChange: 1131878635
> sambaPwdMustChange: 1142160235
> sambaNTPassword: 22E8E02D746C544A1DB0D183715C2D86
> sambaPwdLastSet: 1131792235
> sambaAcctFlags: [W          ]
> entryCSN: 20051112104358Z#000001#00#000000
> modifiersName: cn=samba,ou=DSA,dc=uni-wh,dc=de
> modifyTimestamp: 20051112104358Z
> 
> Obviously the "sambaPwdCanChange" and
"sambaPwdMustChange" attributes are
> missing in the computer account after migration. Could this cause the 
> problem or do I search at the wrong place?
> 
> Thanks in advance for your support!
----
it's easy enough to fix with the pdbedit command, set those values and
then try to log in.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Christoph Peus wrote:
> after "net rpc vampire" migration:
> uidNumber: 22693
> sambaSID: S-1-5-21-1139895982-289624505-398547282-4370
> after the maschine rejoined the domain:
> uidNumber: 22694
> sambaSID: S-1-5-21-1139895982-289624505-398547282-46388
Hi Christoph, nice to read you :)

What shows
testparm -sv 2>/dev/null | grep 'algorithmic rid'
?

Think it will look like 'algorithmic rid base = 1000'
because 22694 * 2 + 1000 = 46388

You have to find the point in the migration process, where the new 
sambaSID is calculated. Your migrated sambaSID is not correct.

Example from my machine (no ldap):

# testparm -sv 2>/dev/null | grep 'algorithmic rid'
         algorithmic rid base = 1000

vmeis # id xp\$
uid=2005(xp$) gid=777(machines) Gruppen=777(machines)
vmeis # pdbedit -Lv xp$ | grep 'User SID'
User SID:             S-1-5-21-2616608439-745089445-1077948534-5010

2005 * 2 + 1000 = 5010


der tom

Christoph Peus wrote:
> I've migrated our NT4 domain to sambe 3.0.20b/ldap backend with
"net rpc
> vampire", and nearly everything works as expected. But one big problem
> remains: it's not possible to login to the domains member maschines
now,
> because "the domain is not available at the moment" (translated
from
> german). After the maschine rejoined the samba domain, login works. (But 
> this is not an option for our ~500 maschines...)
I have to comment myself. I looked at the system eventlog of the client 
maschine and found the following error message from the netlogon service:

"The domain of this computer (UNIWH) has been downgraded from Windows 2000 
or newer to Windows NT4 or older. This computer cannot function properly in
this case for authentication purposes. This computer needs to rejoin the
domain.
The following error occurred: There are currently no logon servers 
available to service the logon request."

Aha. That's a clear statement.
It's true that the DC was downgraded from Windows 2000 to NT4, because the 
original domain is Windows 2000/AD runinng in mixed mode, but every 
reference to "net rpc vampire" and "AD in mixed mode" says
that this works.
Is it possible that "net rpc vampire" works only partially when used
with
AD/mixed mode?

BTW: I'm not the first to encounter this problem. Another samba user (Kang 
Sun) reported exactly the same problem about a year ago, but didn't get an 
answer.

HELP!!!
Thanks.

Christoph