samba - May 2011 - Issue providing seamless migrtion (3.0.24 to 3.5.6) - sambaNTPassword mystery

Hello everyone,

I am operating a migration of samba from 3.0.24 (mysql passdb backend) 
to 3.5.6 (openldap passdb), samba working as a domain controller (PDC) 
and file share. The main challenge is to provide a seamless migration 
for users.
For this new version, I am using smbldap-tools 0.9.6, nss_ldap, openldap 
2.4. Everything run on FreeBSD 8.2.

To get used to samba, I have managed to make samba 3.5 work as a new 
domain, computers joining it, etc... But since I want a seamless 
migration, I now try to provide enough information to samba 3.5 to auth 
users like the old version.

Currently, I can't achieve to have machine accounts which can be on the 
new domain with the samba root login, without joining the domain through 
windows manual procedure.
The new domain have the same "netbios name", "workgroup",
domain SID,
local SID. And now the challenge is to fill accounts (users but first 
workstation/machine) in ldap.
I have copy and paste every *.tdb file from the old samba to the new : 
/var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+ smbpasswd file).
Moreover, to test everything, I have a computer which have a ethernet 
interface toward the old working samba, and another one toward the new 
domain. When I try to switch from the old to the new samba, I shutdown 
the right interface, unlog and try to log with the root login of the new 
samba (I always wait few minutes in order to have the new pdc
"recognized").
As I read that someone is able to upgrade his samba seamlessly by 
shutting down computers & samba (old & new), then starting new samba 
then computers, I have tried each time this procedure. However, I don't 
believe it is the problem : logs are the same if do the
"shutdown/start"
procedure or the simple "unlog/log" procedure.

I put at the end of this mail ldap entries for each step made. So first, 
is the reference of a working machine account (achieved by joining 
manually the "new" domain) [1].

Here are steps I have made:

1. I'm adding machine account using:

#smbldap-useradd -W machine_account$

Then I provide my machine account the same SID in ldap using:

#pdbedit machine_account$ -U S-1-5-21-720590779-4203916555-4014520812-11343

The result is [2], and I can't log with it. Logs tell me something like 
"Workstation machine_account$ doesn't have a password"... Indeed,
no
sambaNTPassword here !

2. I want to manually provide sambaNTPassword. Here, no samba command 
(pdbedit, smpasswd) provides me a way to do it, the only way I found is 
to adding it directly into LDAP (ldapadd or mod,...) [3].

As we could pedict, it doesn't work (log as root). Since 
"sambaNTPassword" comes during the manual join procedure, it must be 
some kind of exchange between the workstation and the PDC.

3. The second idea is to import the old passdb backend into the new 
(ldap) using:

#pdbedit -e tdbsam:export.tdb
on the old PDC, and then on the new PDC:

#pdbedit -i tdbsam:export.tdb

Everything works fine for import/export, giving me [4]. Trying to log in 
with this fails : "Failed to find UNIX account for thorin$". If I add 
manually fields needed for a UNIX account (objectClass: posixAccount, 
etc...), it fails on a "credentials check fails" (same as step 1 when 
sambaNTPassword were missing).

CONCLUSION:
In my opinion, it appears that sambaNTPassword is needed for workstation 
authentification and can be provided only by joining the domain manually 
(Computer -> Manage -> etc...).

Ideas are seriously running out, I find very few stuff about 
sambaNTPassword and particularly about when (during the joining process 
?), where (is it stored on workstation ? in a samba file ? only in the 
passdb backend ?) and why (security reasons I guess, avoiding name 
spoofing etc...? Not a crucial question).
Any help would be welcome !


REFERENCES LDAP ENTRIES:

[1] Working machine account:
-------------------------------------------------------------------------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
cn: thorin$
uid: thorin$
uidNumber: 1004
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
displayName: THORIN$
sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
sambaPwdLastSet: 1304080571
sambaAcctFlags: [W          ]
-------------------------------------------------------------------------------------------

[2] Machine account from command #smbldap-useradd -W, with a corrected SID:
-------------------------------------------------------------------------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
cn: thorin$
uid: thorin$
uidNumber: 1002
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
objectClass: posixAccount
objectClass: account
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1304078541
sambaAcctFlags: [W          ]
sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
displayName: thorin$
sambaDomainName: DOMAIN
-------------------------------------------------------------------------------------------

[3] Same as above with a sambaNTPassword field entered through LDIF:
-------------------------------------------------------------------------------------------
// same as above
sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
-------------------------------------------------------------------------------------------

[4] Entry from import:
-------------------------------------------------------------------------------------------
dn: uid=thorin$,ou=Computers,dc=domain,dc=com
uid: thorin$

sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
sambaLogonScript: netlogon.bat
sambaLogonTime: 0
sambaLogoffTime: 0
sambaKickoffTime: 0
sambaPwdCanChange: 1303228739
sambaPwdMustChange: 2147483647
sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
sambaPasswordHistory: 
0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1303228739
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
sambaAcctFlags: [W          ]
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0

objectClass: sambaSamAccount
objectClass: account
-------------------------------------------------------------------------------------------

Still no idea ?
Anyone knows about sambaNTPasword ?
No one have ever experienced issues doing a seamless migration ?


Le 02/05/2011 11:50, Nathan Mahu a ?crit :
> Hello everyone,
>
> I am operating a migration of samba from 3.0.24 (mysql passdb backend) 
> to 3.5.6 (openldap passdb), samba working as a domain controller (PDC) 
> and file share. The main challenge is to provide a seamless migration 
> for users.
> For this new version, I am using smbldap-tools 0.9.6, nss_ldap, 
> openldap 2.4. Everything run on FreeBSD 8.2.
>
> To get used to samba, I have managed to make samba 3.5 work as a new 
> domain, computers joining it, etc... But since I want a seamless 
> migration, I now try to provide enough information to samba 3.5 to 
> auth users like the old version.
>
> Currently, I can't achieve to have machine accounts which can be on 
> the new domain with the samba root login, without joining the domain 
> through windows manual procedure.
> The new domain have the same "netbios name",
"workgroup", domain SID,
> local SID. And now the challenge is to fill accounts (users but first 
> workstation/machine) in ldap.
> I have copy and paste every *.tdb file from the old samba to the new : 
> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+ smbpasswd file).
> Moreover, to test everything, I have a computer which have a ethernet 
> interface toward the old working samba, and another one toward the new 
> domain. When I try to switch from the old to the new samba, I shutdown 
> the right interface, unlog and try to log with the root login of the 
> new samba (I always wait few minutes in order to have the new pdc 
> "recognized").
> As I read that someone is able to upgrade his samba seamlessly by 
> shutting down computers & samba (old & new), then starting new
samba
> then computers, I have tried each time this procedure. However, I 
> don't believe it is the problem : logs are the same if do the 
> "shutdown/start" procedure or the simple "unlog/log"
procedure.
>
> I put at the end of this mail ldap entries for each step made. So 
> first, is the reference of a working machine account (achieved by 
> joining manually the "new" domain) [1].
>
> Here are steps I have made:
>
> 1. I'm adding machine account using:
>
> #smbldap-useradd -W machine_account$
>
> Then I provide my machine account the same SID in ldap using:
>
> #pdbedit machine_account$ -U 
> S-1-5-21-720590779-4203916555-4014520812-11343
>
> The result is [2], and I can't log with it. Logs tell me something 
> like "Workstation machine_account$ doesn't have a
password"... Indeed,
> no sambaNTPassword here !
>
> 2. I want to manually provide sambaNTPassword. Here, no samba command 
> (pdbedit, smpasswd) provides me a way to do it, the only way I found 
> is to adding it directly into LDAP (ldapadd or mod,...) [3].
>
> As we could pedict, it doesn't work (log as root). Since 
> "sambaNTPassword" comes during the manual join procedure, it must
be
> some kind of exchange between the workstation and the PDC.
>
> 3. The second idea is to import the old passdb backend into the new 
> (ldap) using:
>
> #pdbedit -e tdbsam:export.tdb
> on the old PDC, and then on the new PDC:
>
> #pdbedit -i tdbsam:export.tdb
>
> Everything works fine for import/export, giving me [4]. Trying to log 
> in with this fails : "Failed to find UNIX account for thorin$".
If I
> add manually fields needed for a UNIX account (objectClass: 
> posixAccount, etc...), it fails on a "credentials check fails"
(same
> as step 1 when sambaNTPassword were missing).
>
> CONCLUSION:
> In my opinion, it appears that sambaNTPassword is needed for 
> workstation authentification and can be provided only by joining the 
> domain manually (Computer -> Manage -> etc...).
>
> Ideas are seriously running out, I find very few stuff about 
> sambaNTPassword and particularly about when (during the joining 
> process ?), where (is it stored on workstation ? in a samba file ? 
> only in the passdb backend ?) and why (security reasons I guess, 
> avoiding name spoofing etc...? Not a crucial question).
> Any help would be welcome !
>
>
> REFERENCES LDAP ENTRIES:
>
> [1] Working machine account:
>
-------------------------------------------------------------------------------------------
>
> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> objectClass: sambaSamAccount
> cn: thorin$
> uid: thorin$
> uidNumber: 1004
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
> displayName: THORIN$
> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
> sambaPwdLastSet: 1304080571
> sambaAcctFlags: [W          ]
>
-------------------------------------------------------------------------------------------
>
>
> [2] Machine account from command #smbldap-useradd -W, with a corrected 
> SID:
>
-------------------------------------------------------------------------------------------
>
> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
> cn: thorin$
> uid: thorin$
> uidNumber: 1002
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> objectClass: posixAccount
> objectClass: account
> objectClass: sambaSamAccount
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaPwdLastSet: 1304078541
> sambaAcctFlags: [W          ]
> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
> displayName: thorin$
> sambaDomainName: DOMAIN
>
-------------------------------------------------------------------------------------------
>
>
> [3] Same as above with a sambaNTPassword field entered through LDIF:
>
-------------------------------------------------------------------------------------------
>
> // same as above
> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>
-------------------------------------------------------------------------------------------
>
>
> [4] Entry from import:
>
-------------------------------------------------------------------------------------------
>
> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
> uid: thorin$
>
> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
> sambaLogonScript: netlogon.bat
> sambaLogonTime: 0
> sambaLogoffTime: 0
> sambaKickoffTime: 0
> sambaPwdCanChange: 1303228739
> sambaPwdMustChange: 2147483647
> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
> sambaPasswordHistory: 
> 0000000000000000000000000000000000000000000000000000000000000000
> sambaPwdLastSet: 1303228739
> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> sambaAcctFlags: [W          ]
> sambaBadPasswordCount: 0
> sambaBadPasswordTime: 0
>
> objectClass: sambaSamAccount
> objectClass: account
>
-------------------------------------------------------------------------------------------
>
>

Dit you update your samba.schema in ldap and did you reindex you ldap database ?
 
Greetz, 

Louis
>-----Oorspronkelijk bericht-----
>Van: nmahu at cyanide-studio.com 
>[mailto:samba-bounces at lists.samba.org] Namens Nathan Mahu
>Verzonden: 2011-05-05 14:32
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Issue providing seamless migrtion 
>(3.0.24 to 3.5.6) - sambaNTPassword mystery
>
>Still no idea ?
>Anyone knows about sambaNTPasword ?
>No one have ever experienced issues doing a seamless migration ?
>
>
>Le 02/05/2011 11:50, Nathan Mahu a ?crit :
>> Hello everyone,
>>
>> I am operating a migration of samba from 3.0.24 (mysql 
>passdb backend) 
>> to 3.5.6 (openldap passdb), samba working as a domain 
>controller (PDC) 
>> and file share. The main challenge is to provide a seamless 
>migration 
>> for users.
>> For this new version, I am using smbldap-tools 0.9.6, nss_ldap, 
>> openldap 2.4. Everything run on FreeBSD 8.2.
>>
>> To get used to samba, I have managed to make samba 3.5 work as a new 
>> domain, computers joining it, etc... But since I want a seamless 
>> migration, I now try to provide enough information to samba 3.5 to 
>> auth users like the old version.
>>
>> Currently, I can't achieve to have machine accounts which can be on
>> the new domain with the samba root login, without joining the domain 
>> through windows manual procedure.
>> The new domain have the same "netbios name",
"workgroup",
>domain SID, 
>> local SID. And now the challenge is to fill accounts (users 
>but first 
>> workstation/machine) in ldap.
>> I have copy and paste every *.tdb file from the old samba to 
>the new : 
>> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+ 
>smbpasswd file).
>> Moreover, to test everything, I have a computer which have a 
>ethernet 
>> interface toward the old working samba, and another one 
>toward the new 
>> domain. When I try to switch from the old to the new samba, 
>I shutdown 
>> the right interface, unlog and try to log with the root login of the 
>> new samba (I always wait few minutes in order to have the new pdc 
>> "recognized").
>> As I read that someone is able to upgrade his samba seamlessly by 
>> shutting down computers & samba (old & new), then starting new
samba
>> then computers, I have tried each time this procedure. However, I 
>> don't believe it is the problem : logs are the same if do the 
>> "shutdown/start" procedure or the simple
"unlog/log" procedure.
>>
>> I put at the end of this mail ldap entries for each step made. So 
>> first, is the reference of a working machine account (achieved by 
>> joining manually the "new" domain) [1].
>>
>> Here are steps I have made:
>>
>> 1. I'm adding machine account using:
>>
>> #smbldap-useradd -W machine_account$
>>
>> Then I provide my machine account the same SID in ldap using:
>>
>> #pdbedit machine_account$ -U 
>> S-1-5-21-720590779-4203916555-4014520812-11343
>>
>> The result is [2], and I can't log with it. Logs tell me something 
>> like "Workstation machine_account$ doesn't have a 
>password"... Indeed, 
>> no sambaNTPassword here !
>>
>> 2. I want to manually provide sambaNTPassword. Here, no 
>samba command 
>> (pdbedit, smpasswd) provides me a way to do it, the only way I found 
>> is to adding it directly into LDAP (ldapadd or mod,...) [3].
>>
>> As we could pedict, it doesn't work (log as root). Since 
>> "sambaNTPassword" comes during the manual join procedure, it
must be
>> some kind of exchange between the workstation and the PDC.
>>
>> 3. The second idea is to import the old passdb backend into the new 
>> (ldap) using:
>>
>> #pdbedit -e tdbsam:export.tdb
>> on the old PDC, and then on the new PDC:
>>
>> #pdbedit -i tdbsam:export.tdb
>>
>> Everything works fine for import/export, giving me [4]. 
>Trying to log 
>> in with this fails : "Failed to find UNIX account for
thorin$". If I
>> add manually fields needed for a UNIX account (objectClass: 
>> posixAccount, etc...), it fails on a "credentials check
fails" (same
>> as step 1 when sambaNTPassword were missing).
>>
>> CONCLUSION:
>> In my opinion, it appears that sambaNTPassword is needed for 
>> workstation authentification and can be provided only by joining the 
>> domain manually (Computer -> Manage -> etc...).
>>
>> Ideas are seriously running out, I find very few stuff about 
>> sambaNTPassword and particularly about when (during the joining 
>> process ?), where (is it stored on workstation ? in a samba file ? 
>> only in the passdb backend ?) and why (security reasons I guess, 
>> avoiding name spoofing etc...? Not a crucial question).
>> Any help would be welcome !
>>
>>
>> REFERENCES LDAP ENTRIES:
>>
>> [1] Working machine account:
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>> objectClass: top
>> objectClass: account
>> objectClass: posixAccount
>> objectClass: sambaSamAccount
>> cn: thorin$
>> uid: thorin$
>> uidNumber: 1004
>> gidNumber: 515
>> homeDirectory: /dev/null
>> loginShell: /bin/false
>> description: Computer
>> gecos: Computer
>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
>> displayName: THORIN$
>> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
>> sambaPwdLastSet: 1304080571
>> sambaAcctFlags: [W          ]
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>>
>> [2] Machine account from command #smbldap-useradd -W, with a 
>corrected 
>> SID:
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>> cn: thorin$
>> uid: thorin$
>> uidNumber: 1002
>> gidNumber: 515
>> homeDirectory: /dev/null
>> loginShell: /bin/false
>> description: Computer
>> gecos: Computer
>> objectClass: posixAccount
>> objectClass: account
>> objectClass: sambaSamAccount
>> sambaLogonTime: 0
>> sambaLogoffTime: 2147483647
>> sambaKickoffTime: 2147483647
>> sambaPwdCanChange: 0
>> sambaPwdMustChange: 2147483647
>> sambaPwdLastSet: 1304078541
>> sambaAcctFlags: [W          ]
>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>> sambaPrimaryGroupSID: S-1-5-21-720590779-4203916555-4014520812-515
>> displayName: thorin$
>> sambaDomainName: DOMAIN
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>>
>> [3] Same as above with a sambaNTPassword field entered through LDIF:
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>> // same as above
>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>>
>> [4] Entry from import:
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>> uid: thorin$
>>
>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>> sambaLogonScript: netlogon.bat
>> sambaLogonTime: 0
>> sambaLogoffTime: 0
>> sambaKickoffTime: 0
>> sambaPwdCanChange: 1303228739
>> sambaPwdMustChange: 2147483647
>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>> sambaPasswordHistory: 
>> 0000000000000000000000000000000000000000000000000000000000000000
>> sambaPwdLastSet: 1303228739
>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>> sambaAcctFlags: [W          ]
>> sambaBadPasswordCount: 0
>> sambaBadPasswordTime: 0
>>
>> objectClass: sambaSamAccount
>> objectClass: account
>> 
>---------------------------------------------------------------
>---------------------------- 
>>
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Thank you one more time for your help Louis ! But I still fail :-(

### FIRST ANSWER ###

Back to my first mail, the third step (ldif [3]), I was saying "adding 
posixAccount object", but I added the "top" object too. That was
the
idea : comparing a working ldiff with others and manual tweak of each 
fields.

Concerning the "getent passwd", I see every account that have a 
"posixAccount" object filled. It works for both automatic & manual
add
of the posixAccount part. More precisely, when it misses
"posixAccount",
logs tell me about it, when I add it manually (ldif process), it finds 
the Unix account.

About "displayName: THORIN$", it is filled when I manually joined the 
domain to create the working LDIF. I have tried 2 or 3 times to add it, 
but honestly, I think a "displayName" is only a superficial stuff... 
Moreover, with a thorin$ account WITHOUT displayName, in samba logs 
requests to ldap are made with "THORIN$" and acknowledges with
"thorin$
found". It uses cn field, I really don't think displayName is
important.

"The [2] ldif looks like a user account". I don't get what makes
you
think that. However, users account and machine accounts are really close 
in samba. Cn names have a $ for computers, and each time (for [1]to 
[3]), it is dn:
uid=thorin$,ou=Computers,dc=domain,dc=com", meaning it is in the right 
OU. Accounts added by smbldap-tools go in the right OU according to if 
it is a machine or user account.

Finally, "smbldap-useradd -wi machine_account$" makes fails with the 
following log : "WORKSTATION secure channel requested but not a 
workstation trust account" [...] "failed to get machine password for 
account THORIN$ : NT_STATUS_NO_TRUST_SAM_ACCOUNT". Important about this 
: LDIF presents flags as [UX] and not the old good machine flag [W]... 
I'm not sure trust account stuff is for simple workstation but honestly, 
I haven't read much about it.


Le 06/05/2011 09:28, L.P.H. van Belle a ?crit :
> Hi,
>
> compair the working computer ldiff and the not working ldiff.
> the import ldiff is missing
> [2]
>>>>> objectClass: top
> i dont know if its needed, but you can try it.
>
> if you do getent passwd on the new samba server, does it display your 
> new computer account.
> Also, i see.
> in [1]
> displayName: THORIN$
>>>>> uidNumber: 1004
>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
> and [2]
> displayName: thorin$
>>>>> uidNumber: 1002
>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>> sambaLogonTime: 0
>>>>> sambaLogoffTime: 2147483647
>>>>> sambaKickoffTime: 2147483647
>>>>> sambaPwdCanChange: 0
>>>>> sambaPwdMustChange: 2147483647
>>>>> sambaPwdLastSet: 1304078541
> make sure its how you computer name (displayName) is caps and no caps.
> i'm trying to narrowing down the options here..
> Also the computer [2] looks like a new created user, not a computer.
>
> is the new computer in the correct OU?
> smbldap-useradd --help | grep unit
> -o    add the user in the organizational unit (relative to the user 
> suffix. Ex: 'ou=admin,ou=all')
> ( see user as computer )
>
> also can you try
> smbldap-useradd -wi machine_account$
> and report back te results.
>
>
> Louis
>
>
>



Le 06/05/2011 09:32, L.P.H. van Belle a ?crit :
> and i found this.
>
> "When migrating an existing machine account, you also have to invoke
> smbldap-useradd -a computername$ after creating the account in order to
> allow storing of encrypted password into the sambaNTPassword entry."
>
> Louis
### SECOND ANSWER ###

I think it is very like using "smbldap-useradd -W thorin$"... However
I
have made some try to create account in two steps, after importing 
machine account, either after creating it manually with only -w, etc...

Always fails with the "credential checks" wrong.

Moreover, I found this : 
http://www.mail-archive.com/linux-390 at vm.marist.edu/msg30492.html
It seems it is possible to enters fields missing (sambaNTPassword) with 
simple ldif and make it work. I tried 3 or 4 time with different 
approaches (imports machine account, manual create, etc..). SAME ERROR.

I really dont get it. And it really misses some documentation on low 
level functionnalities to create some little hacks to be able to proceed 
a smealess migration.












>> -----Oorspronkelijk bericht-----
>> Van: Nathan Mahu [mailto:nmahu at cyanide-studio.com]
>> Verzonden: 2011-05-05 18:22
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Issue providing seamless migrtion
>> (3.0.24 to 3.5.6) - sambaNTPassword mystery
>>
>> Sum up : still not work.
>>
>> Thank you for your attention Louis.
>>
>> "After updating the LDAP schema, do not forget to re-index the
LDAP
>> database." - Some Samba-guide
>>
>> 1. My schema is up to date since my old PDC wasn't using LDAP (but
>> mysql), the new PDC gave its OpenLDAP a fresh schema (3.5.6).
>>
>> 2. However, I've tried reindexing after changes made through
>> raw LDIF. I
>> think indexes are just made to speed up search in LDAP, but I am so
>> despair that I tested.
>> I remade the third procedure described in my original mail :
>> after each
>> modification made through ldif, I have reindexed everything
>> (slapd stop
>> - slapindex -slapd start). Nothing new : "credential fail".
>> By the way, I have never seen any site saying "after an ldif
>> modification, run slapindex".
>>
>> Le 05/05/2011 14:38, L.P.H. van Belle a ?crit :
>>> Dit you update your samba.schema in ldap and did you reindex
>> you ldap database ?
>>> Greetz,
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: nmahu at cyanide-studio.com
>>>> [mailto:samba-bounces at lists.samba.org] Namens Nathan Mahu
>>>> Verzonden: 2011-05-05 14:32
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Issue providing seamless migrtion
>>>> (3.0.24 to 3.5.6) - sambaNTPassword mystery
>>>>
>>>> Still no idea ?
>>>> Anyone knows about sambaNTPasword ?
>>>> No one have ever experienced issues doing a seamless migration
?
>>>>
>>>>
>>>> Le 02/05/2011 11:50, Nathan Mahu a ?crit :
>>>>> Hello everyone,
>>>>>
>>>>> I am operating a migration of samba from 3.0.24 (mysql
>>>> passdb backend)
>>>>> to 3.5.6 (openldap passdb), samba working as a domain
>>>> controller (PDC)
>>>>> and file share. The main challenge is to provide a seamless
>>>> migration
>>>>> for users.
>>>>> For this new version, I am using smbldap-tools 0.9.6,
nss_ldap,
>>>>> openldap 2.4. Everything run on FreeBSD 8.2.
>>>>>
>>>>> To get used to samba, I have managed to make samba 3.5
>> work as a new
>>>>> domain, computers joining it, etc... But since I want a
seamless
>>>>> migration, I now try to provide enough information to samba
3.5 to
>>>>> auth users like the old version.
>>>>>
>>>>> Currently, I can't achieve to have machine accounts
which can be on
>>>>> the new domain with the samba root login, without joining
>> the domain
>>>>> through windows manual procedure.
>>>>> The new domain have the same "netbios name",
"workgroup",
>>>> domain SID,
>>>>> local SID. And now the challenge is to fill accounts (users
>>>> but first
>>>>> workstation/machine) in ldap.
>>>>> I have copy and paste every *.tdb file from the old samba
to
>>>> the new :
>>>>> /var/db/samba/*.tdb and /usr/local/etc/samba/*.tdb (+
>>>> smbpasswd file).
>>>>> Moreover, to test everything, I have a computer which have
a
>>>> ethernet
>>>>> interface toward the old working samba, and another one
>>>> toward the new
>>>>> domain. When I try to switch from the old to the new samba,
>>>> I shutdown
>>>>> the right interface, unlog and try to log with the root
>> login of the
>>>>> new samba (I always wait few minutes in order to have the
new pdc
>>>>> "recognized").
>>>>> As I read that someone is able to upgrade his samba
seamlessly by
>>>>> shutting down computers&   samba (old&   new), then
starting
>> new samba
>>>>> then computers, I have tried each time this procedure.
However, I
>>>>> don't believe it is the problem : logs are the same if
do the
>>>>> "shutdown/start" procedure or the simple
"unlog/log" procedure.
>>>>>
>>>>> I put at the end of this mail ldap entries for each step
made. So
>>>>> first, is the reference of a working machine account
(achieved by
>>>>> joining manually the "new" domain) [1].
>>>>>
>>>>> Here are steps I have made:
>>>>>
>>>>> 1. I'm adding machine account using:
>>>>>
>>>>> #smbldap-useradd -W machine_account$
>>>>>
>>>>> Then I provide my machine account the same SID in ldap
using:
>>>>>
>>>>> #pdbedit machine_account$ -U
>>>>> S-1-5-21-720590779-4203916555-4014520812-11343
>>>>>
>>>>> The result is [2], and I can't log with it. Logs tell
me something
>>>>> like "Workstation machine_account$ doesn't have a
>>>> password"... Indeed,
>>>>> no sambaNTPassword here !
>>>>>
>>>>> 2. I want to manually provide sambaNTPassword. Here, no
>>>> samba command
>>>>> (pdbedit, smpasswd) provides me a way to do it, the only
>> way I found
>>>>> is to adding it directly into LDAP (ldapadd or mod,...)
[3].
>>>>>
>>>>> As we could pedict, it doesn't work (log as root).
Since
>>>>> "sambaNTPassword" comes during the manual join
procedure,
>> it must be
>>>>> some kind of exchange between the workstation and the PDC.
>>>>>
>>>>> 3. The second idea is to import the old passdb backend into
the new
>>>>> (ldap) using:
>>>>>
>>>>> #pdbedit -e tdbsam:export.tdb
>>>>> on the old PDC, and then on the new PDC:
>>>>>
>>>>> #pdbedit -i tdbsam:export.tdb
>>>>>
>>>>> Everything works fine for import/export, giving me [4].
>>>> Trying to log
>>>>> in with this fails : "Failed to find UNIX account for
>> thorin$". If I
>>>>> add manually fields needed for a UNIX account (objectClass:
>>>>> posixAccount, etc...), it fails on a "credentials
check
>> fails" (same
>>>>> as step 1 when sambaNTPassword were missing).
>>>>>
>>>>> CONCLUSION:
>>>>> In my opinion, it appears that sambaNTPassword is needed
for
>>>>> workstation authentification and can be provided only by
>> joining the
>>>>> domain manually (Computer ->   Manage ->   etc...).
>>>>>
>>>>> Ideas are seriously running out, I find very few stuff
about
>>>>> sambaNTPassword and particularly about when (during the
joining
>>>>> process ?), where (is it stored on workstation ? in a samba
file ?
>>>>> only in the passdb backend ?) and why (security reasons I
guess,
>>>>> avoiding name spoofing etc...? Not a crucial question).
>>>>> Any help would be welcome !
>>>>>
>>>>>
>>>>> REFERENCES LDAP ENTRIES:
>>>>>
>>>>> [1] Working machine account:
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>> objectClass: top
>>>>> objectClass: account
>>>>> objectClass: posixAccount
>>>>> objectClass: sambaSamAccount
>>>>> cn: thorin$
>>>>> uid: thorin$
>>>>> uidNumber: 1004
>>>>> gidNumber: 515
>>>>> homeDirectory: /dev/null
>>>>> loginShell: /bin/false
>>>>> description: Computer
>>>>> gecos: Computer
>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-1003
>>>>> displayName: THORIN$
>>>>> sambaNTPassword: 4EC5FEF69FA166F519DF8A31631E1DB2
>>>>> sambaPwdLastSet: 1304080571
>>>>> sambaAcctFlags: [W          ]
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> [2] Machine account from command #smbldap-useradd -W, with
a
>>>> corrected
>>>>> SID:
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>> cn: thorin$
>>>>> uid: thorin$
>>>>> uidNumber: 1002
>>>>> gidNumber: 515
>>>>> homeDirectory: /dev/null
>>>>> loginShell: /bin/false
>>>>> description: Computer
>>>>> gecos: Computer
>>>>> objectClass: posixAccount
>>>>> objectClass: account
>>>>> objectClass: sambaSamAccount
>>>>> sambaLogonTime: 0
>>>>> sambaLogoffTime: 2147483647
>>>>> sambaKickoffTime: 2147483647
>>>>> sambaPwdCanChange: 0
>>>>> sambaPwdMustChange: 2147483647
>>>>> sambaPwdLastSet: 1304078541
>>>>> sambaAcctFlags: [W          ]
>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>> sambaPrimaryGroupSID:
S-1-5-21-720590779-4203916555-4014520812-515
>>>>> displayName: thorin$
>>>>> sambaDomainName: DOMAIN
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> [3] Same as above with a sambaNTPassword field entered
>> through LDIF:
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> // same as above
>>>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> [4] Entry from import:
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>>> dn: uid=thorin$,ou=Computers,dc=domain,dc=com
>>>>> uid: thorin$
>>>>>
>>>>> sambaSID: S-1-5-21-720590779-4203916555-4014520812-11343
>>>>> sambaLogonScript: netlogon.bat
>>>>> sambaLogonTime: 0
>>>>> sambaLogoffTime: 0
>>>>> sambaKickoffTime: 0
>>>>> sambaPwdCanChange: 1303228739
>>>>> sambaPwdMustChange: 2147483647
>>>>> sambaNTPassword: A6BB9BBC6C2E49506BF447CB9667DC2B
>>>>> sambaPasswordHistory:
>>>>>
0000000000000000000000000000000000000000000000000000000000000000
>>>>> sambaPwdLastSet: 1303228739
>>>>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>>> sambaAcctFlags: [W          ]
>>>>> sambaBadPasswordCount: 0
>>>>> sambaBadPasswordTime: 0
>>>>>
>>>>> objectClass: sambaSamAccount
>>>>> objectClass: account
>>>>>
>>>> ---------------------------------------------------------------
>>>> ----------------------------
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>