samba - Mar 2015 - Synchronization problems between Win2k8R2 and samba

Hello,

I have a small test network with a Win2k8R2 DC.

I've added a samba4 as second DC in this network.
The join seems to run smoothly.

But, after the join, this command: ldapsearch -LLL -x -H 
ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi  -b
"dc=test,dc=dom"  "(SAMAccountName=Administrateur)"
returns some strange results:
? some attributes like unicodePwd and supplementalCredentials are missing
? lots of attributes are base64 encoded, example:
    ?description:: Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24(for
information python
base64.decodestring('Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=')
gives 'Compte d\xe2\x80\x99utilisateur d\xe2\x80\x99administration')

On the 4 tests I did, I always get the same result.
Is that normal or is something going wrong ?

Regards
-- 
Jean-Fran?ois

On 03/03/15 11:11, Jean-Fran?ois Morcillo wrote:
> Hello,
>
> I have a small test network with a Win2k8R2 DC.
>
> I've added a samba4 as second DC in this network.
> The join seems to run smoothly.
>
> But, after the join, this command: ldapsearch -LLL -x -H
> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi  -b
> "dc=test,dc=dom"  "(SAMAccountName=Administrateur)"
> returns some strange results:
> ? some attributes like unicodePwd and supplementalCredentials are missing
> ? lots of attributes are base64 encoded, example:
>      ?description::
Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24> (for information
python
>
base64.decodestring('Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=')
> gives 'Compte d\xe2\x80\x99utilisateur
d\xe2\x80\x99administration')
>
> On the 4 tests I did, I always get the same result.
> Is that normal or is something going wrong ?
>
> Regards
OK, Quite normal, you are dealing with AD now, not Openldap, you could 
try the ldbtools instead:

ldbsearch -H ldap://dc01.example.com -b "DC=example,DC=com" -s sub 
"(SAMAccountName=Administrator)" -UAdministrator
Password for [example\Administrator]:
# record 1
dn: CN=Administrator,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20140812094102.0Z
uSNCreated: 3545
name: Administrator
objectGUID: cec3979c-c005-4047-a5bf-161eb3a1af97
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130523100620000000
primaryGroupID: 513
objectSid: S-1-5-21-2025076216-3455336656-3842161122-500
adminCount: 1
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
userAccountControl: 66048
accountExpires: 0
whenChanged: 20140812105552.0Z
uSNChanged: 3774
distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com

But there are still missing attributes, this is again by design, you 
could try adding the attribute you want:

ldbsearch -H ldap://dc01.example.com -b "DC=example,DC=com" -s sub 
"(SAMAccountName=Administrator)" unicodePwd -UAdministrator
Password for [example\Administrator]:
# record 1
dn: CN=Administrator,CN=Users,DC=example,DC=com

Hmm, still not there, you could try running this on the DC, but you 
would still get the same result, you need to run the command on the DC 
*and* use the path to the ldb file:

ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=example,DC=com" -s 
sub "(SAMAccountName=Administrator)" unicodePwd -UAdministrator
# record 1
dn: CN=Administrator,CN=Users,DC=example,DC=com
unicodePwd:: XnbXXXXXIXZ31WwXXXXYpXXX

Not that it gets you anywhere, you would now have to crack the password 
(and no, that is not a real password)

What I am trying to say is, there are attributes in AD that you need to 
explicitly ask for, some of which you cannot read anyway. Passwords on 
AD need to be changed over port 636 (SSL).

Rowland

Le 03/03/2015 12:56, Rowland Penny a ?crit :
> On 03/03/15 11:11, Jean-Fran?ois Morcillo wrote:
>> Hello,
>>
>> I have a small test network with a Win2k8R2 DC.
>>
>> I've added a samba4 as second DC in this network.
>> The join seems to run smoothly.
>>
>> But, after the join, this command: ldapsearch -LLL -x -H
>> ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi  -b
>> "dc=test,dc=dom"  "(SAMAccountName=Administrateur)"
>> returns some strange results:
>> ? some attributes like unicodePwd and supplementalCredentials are
>> missing
>> ? lots of attributes are base64 encoded, example:
>>      ?description::
>> Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24>> (for
information python
>>
base64.decodestring('Q29tcHRlIGTigJl1dGlsaXNhdGV1ciBk4oCZYWRtaW5pc3RyYXRpb24=')
>>
>> gives 'Compte d\xe2\x80\x99utilisateur
d\xe2\x80\x99administration')
>>
>> On the 4 tests I did, I always get the same result.
>> Is that normal or is something going wrong ?
>>
>> Regards
>
> OK, Quite normal, you are dealing with AD now, not Openldap, you could
> try the ldbtools instead:
>
> ldbsearch -H ldap://dc01.example.com -b "DC=example,DC=com" -s
sub
> "(SAMAccountName=Administrator)" -UAdministrator
> Password for [example\Administrator]:
> # record 1
> dn: CN=Administrator,CN=Users,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Administrator
> description: Built-in account for administering the computer/domain
> instanceType: 4
> whenCreated: 20140812094102.0Z
> uSNCreated: 3545
> name: Administrator
> objectGUID: cec3979c-c005-4047-a5bf-161eb3a1af97
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 130523100620000000
> primaryGroupID: 513
> objectSid: S-1-5-21-2025076216-3455336656-3842161122-500
> adminCount: 1
> logonCount: 0
> sAMAccountName: Administrator
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> isCriticalSystemObject: TRUE
> memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com
> memberOf: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
> memberOf: CN=Enterprise Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Schema Admins,CN=Users,DC=example,DC=com
> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
> userAccountControl: 66048
> accountExpires: 0
> whenChanged: 20140812105552.0Z
> uSNChanged: 3774
> distinguishedName: CN=Administrator,CN=Users,DC=example,DC=com
>
> But there are still missing attributes, this is again by design, you
> could try adding the attribute you want:
>
> ldbsearch -H ldap://dc01.example.com -b "DC=example,DC=com" -s
sub
> "(SAMAccountName=Administrator)" unicodePwd -UAdministrator
> Password for [example\Administrator]:
> # record 1
> dn: CN=Administrator,CN=Users,DC=example,DC=com
>
> Hmm, still not there, you could try running this on the DC, but you
> would still get the same result, you need to run the command on the DC
> *and* use the path to the ldb file:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
"DC=example,DC=com" -s
> sub "(SAMAccountName=Administrator)" unicodePwd -UAdministrator
> # record 1
> dn: CN=Administrator,CN=Users,DC=example,DC=com
> unicodePwd:: XnbXXXXXIXZ31WwXXXXYpXXX
>
> Not that it gets you anywhere, you would now have to crack the
> password (and no, that is not a real password)
>
> What I am trying to say is, there are attributes in AD that you need
> to explicitly ask for, some of which you cannot read anyway. Passwords
> on AD need to be changed over port 636 (SSL).
>
> Rowland
Ok. Thank you very much Rowland, I got it !

In fact I don't really use ldapsearch (it was to explain briefly what
I'm doing), I'm writing some python code.
Nevertheless your explanation is fully relevant and, instead of using
the ldap module from python I'm now using the ldb one (and samdb?) and I
can get the attributes I need.

Just for information, the python code using the ldap module to query the
unicodePwd attribute works well if the first DC is samba (i.e. I can
fetch the unicodePwd attribute) but it stops working if the first DC is
win2k8 (in both case, I add a samba as a second DC and I run the python
script on it)

Thanks again

-- 

Jean-Fran?ois