samba - Dec 2012 - Changing administrator password after Samba4 classic upgrade

I used to upgrade samba3 to samba4 with almost successful with one problem,
administrator can't access. As administrator, by default it is the only
user account that is given full control over the system.

My query is how to change the administrator password? we have one account
which can join to the samba 4 AD based on the migrated data but the problem
can't change the administrator or can't alter the domain.

At first, got a problem on group 'Everyone' and 'root' which
then deleted.

*[root at gaara ambot]# /usr/local/samba/bin/samba-tool domain classicupgrade
--dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
--dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
/srv/smb.conf
Reading smb.conf
WARNING: Ignoring invalid value 'cups' for parameter 'printing'
Provisioning
Exporting account policy
Exporting groups
Ignoring group 'Everyone' S-1-1-0 listed but then not found: Unable to
enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Exporting users
  Demoting BDC account trust for naruto-konoha11, this DC must be elevated
to an AD DC using 'samba-tool domain promote'
  Demoting BDC account trust for naruto-kiri4y, this DC must be elevated to
an AD DC using 'samba-tool domain promote'
Ignoring group memberships of 'root'
S-1-5-21-1511653421-423844657-761698953-1000: Unable to enumerate group
memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
  Skipping wellknown rid=501 (for username=nobody)
  Demoting BDC account trust for naruto-kiri, this DC must be elevated to
an AD DC using 'samba-tool domain promote'
Next rid = 105011
- (just remove the description message)
-
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators
existing_groupname=Administrators, Ignoring.
Group already exists sid=S-1-5-32-546, groupname=Guests
existing_groupname=Guests, Ignoring.
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No
such element'
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 879, in upgrade_from_samba3
    add_group_from_mapping_entry(result.samdb, g, logger)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 264, in add_group_from_mapping_entry
    str(groupmap.sid), groupmap.nt_name, msg[0]['sAMAccountName'][0])*

After that re-run the classic upgrade, and found out that the administrator
SID was wrong and modified to xxx-500 where xxx domain SID and modified
group Administrators because there are other domain SIDs.

*- (remove the description, displaying only the last part)
-
Importing idmap database
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators
existing_groupname=Administrators, Ignoring.
Group already exists sid=S-1-5-32-545, groupname=Users
existing_groupname=Users, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Importing users
User 'Administrator' in your existing directory has SID
S-1-5-21-1511653421-423844657-761698953-20001, expected it to be
S-1-5-21-1511653421-423844657-761698953-500
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: User 'Administrator' in your existing directory does
not
have SID ending in -500
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 889, in upgrade_from_samba3
    raise ProvisioningError("User 'Administrator' in your existing
directory does not have SID ending in -500")*


Finally got this with no errors, but again the administrator can't login
even using the kinit. As mentioned above I used to login other user in
Windows 7 and run the Windows Remote Administration Tools and able to check
the data is successfully migrated including administrator (but the problem
it was changed during upgrading) and I observed in the log see highlighted.
And every time I run the samba-tool domain classicupgrade, the Admin
password: (see other highlighted below) have different values
(
>0ngHrG~IIMHZ>DhNIP    YOU<AKoN~+wPZ!Am *  * SXJ96re1=zYO*
*respectively).
*
[root at gaara ambot]# /usr/local/samba/bin/samba-tool domain classicupgrade
--dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
--dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
/srv/smb.conf
Reading smb.conf
WARNING: Ignoring invalid value 'cups' for parameter 'printing'
Provisioning
Exporting account policy
Exporting groups
Exporting users
  Demoting BDC account trust for naruto-konoha1, this DC must be elevated
to an AD DC using 'samba-tool domain promote'
  Skipping wellknown rid=500 (for username=administrator)
  Demoting BDC account trust for naruto-kiri, this DC must be elevated to
an AD DC using 'samba-tool domain promote'
Next rid = 105011
Exporting posix attributes
Reading WINS database
Cannot open wins database, Ignoring: [Errno 2] No such file or directory:
'/srv/LiveData/var_lib_samba/samba/wins.dat'
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=kazekage,DC=sura,DC=sandbox,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting acl on sysvol skipped
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=kazekage,DC=sura,DC=sandbox,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Admin password:        SXJ96re1=zYO
Server Role:           active directory domain controller
Hostname:              gaara
NetBIOS Domain:        KAZEKAGE
DNS Domain:            kazekage.sura.sandbox.local
DOMAIN SID:            S-1-5-21-1511653421-423844657-761698953
Importing WINS database
Importing Account policy
Importing idmap database
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-545, groupname=Users
existing_groupname=Users, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Importing users
Adding users to groups*

Thank you, hope someone can give insights on it.

On Thu, 2012-12-20 at 22:55 +1300, Mario Codeniera
wrote:
> I used to upgrade samba3 to samba4 with almost successful with one problem,
> administrator can't access. As administrator, by default it is the only
> user account that is given full control over the system.
> 
> My query is how to change the administrator password? we have one account
> which can join to the samba 4 AD based on the migrated data but the problem
> can't change the administrator or can't alter the domain.
> After that re-run the classic upgrade, and found out that the administrator
> SID was wrong and modified to xxx-500 where xxx domain SID and modified
> group Administrators because there are other domain SIDs.
> 
> *- (remove the description, displaying only the last part)
> -
> Importing idmap database
> Importing groups
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
> groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
> groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
> groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
> Group already exists sid=S-1-5-32-544, groupname=Administrators
> existing_groupname=Administrators, Ignoring.
> Group already exists sid=S-1-5-32-545, groupname=Users
> existing_groupname=Users, Ignoring.
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
> groupname=Domain Users existing_groupname=Domain Users, Ignoring.
> Importing users
> User 'Administrator' in your existing directory has SID
> S-1-5-21-1511653421-423844657-761698953-20001, expected it to be
> S-1-5-21-1511653421-423844657-761698953-500
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
> ProvisioningError: User 'Administrator' in your existing directory
does not
> have SID ending in -500
>   File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 1318, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 889, in upgrade_from_samba3
>     raise ProvisioningError("User 'Administrator' in your
existing
> directory does not have SID ending in -500")*
> 
> 
> Finally got this with no errors, but again the administrator can't
login
> even using the kinit. As mentioned above I used to login other user in
> Windows 7 and run the Windows Remote Administration Tools and able to check
> the data is successfully migrated including administrator (but the problem
> it was changed during upgrading) and I observed in the log see highlighted.
> And every time I run the samba-tool domain classicupgrade, the Admin
> password: (see other highlighted below) have different values (
> >0ngHrG~IIMHZ>DhNIP    YOU<AKoN~+wPZ!Am *  * SXJ96re1=zYO*
*respectively).
This is interesting, as at one point we had logic to not show these
unused passwords. 

I've attached a patch that should do this, let me know if it makes the
output (which I agree is very, very verbose) clearer. 
> *
> [root at gaara ambot]# /usr/local/samba/bin/samba-tool domain
classicupgrade
> --dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
> --dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
> /srv/smb.conf
> Reading smb.conf
What it should have said was 'using the existing admin password of user
root/administrator'.  So, try the old password, but if neither the old
password nor the generated one works, you can reset it using 'samba-tool
user setpassword administrator'
> Thank you, hope someone can give insights on it.
Thanks for your patience with this.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-samba-tool-classicupgrade-Do-not-print-the-admin-pas.patch
Type: text/x-patch
Size: 1744 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20121222/0957f5ff/attachment.bin>