29.03.2017 16:52, Santiago Londoño Mejía via samba пишет:> Hello, > Is this procedure for samba as DC?I'm in doubt about it, it looks like it for old-style NT Domain... Maybe more skiiled people comment it.> 2017-03-28 23:02 GMT-05:00, Jeanderson Soares via samba <samba at lists.samba.org>: >> I was able to do this by exporting and importing users (including >> passwords) with the pdbedit samba utility. >> >> Look at this: >> Http://serverfault.com/questions/675938/migrate-samba-users-to-new-server >> Maybe you need to change the passdb backend >> >> 2017-03-28 2:49 GMT-03:00 Mike Lykov via samba <samba at lists.samba.org>: >> >>> 27.03.2017 22:48, Santiago Londoño Mejía via samba пишет: >>> >>>> Hello, >>>> >>>> I try to add a new dc to my domain, but the sysadmin installed the >>>> main dc left misconfigured dns zones that I can not remove. >>>> >>>> ¿Is it possible to provision the domain again using new samba as main >>>> dc Keeping users and passwords Of the previous dc? >>>> The current main dc runs samba 4.4. >>>> >>> >>> I am also interested in this task, I have 4.1 old (two) DC with errors in >>> dns zones (undeletable items) and planning upgrade to 4.5 or 4.6 . >>> >>> >>> -- >>> Mike Lykov, system administrator >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >-- Mike Lykov, system administrator
Rowland Penny
2017-Mar-29 14:06 UTC
[Samba] Provision new domain keeping users and passwords
On Wed, 29 Mar 2017 17:30:28 +0400 Mike Lykov via samba <samba at lists.samba.org> wrote:> 29.03.2017 16:52, Santiago Londoño Mejía via samba пишет: > > Hello, > > Is this procedure for samba as DC? > > I'm in doubt about it, it looks like it for old-style NT Domain... > Maybe more skiiled people comment it. >I don't think creating a new domain and using the users and passwords is going to work. There are several problems: Windows identifies the users etc by the RID, but this is to be found at the end of the domain SID, so if user 'fred' has the RID 1107 and you create a new Samba AD domain and create the user 'fred' with the same RID, this would be a different user 'fred', because the SID would be different. The users password is stored in an hidden attribute which is supposed to be unreadable, but you can read it on a Samba DC, but it is heavily encoded. You may be able to obtain some of the users password with pdbedit, but can you get them all ? If you create a new domain, it will be just that, a new domain and you will need to join all your machines to it. Bearing all this in mind, it will probably be easier to obtain a list of your users and groups, also get a list of which user is a member of which group. Create the new domain, add the users, give them a temporary password and set the user to change their password at first logon. Add the groups and reset the group membership. Email the new password to the users and then one weekend, change over to the new DC. Rowland
Jeanderson Soares
2017-Mar-29 17:31 UTC
[Samba] Provision new domain keeping users and passwords
Hi, Rowland. 2017-03-29 11:06 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:> On Wed, 29 Mar 2017 17:30:28 +0400 > Mike Lykov via samba <samba at lists.samba.org> wrote: > > > 29.03.2017 16:52, Santiago Londoño Mejía via samba пишет: > > > Hello, > > > Is this procedure for samba as DC? > > > > I'm in doubt about it, it looks like it for old-style NT Domain... > > Maybe more skiiled people comment it. > > > > I don't think creating a new domain and using the users and passwords > is going to work. > > There are several problems: > > Windows identifies the users etc by the RID, but this is to be found at > the end of the domain SID, so if user 'fred' has the RID 1107 and you > create a new Samba AD domain and create the user 'fred' with the same > RID, this would be a different user 'fred', because the SID would be > different. >I created a user 'fred' in the old DC Domain and exported/imported to the new Domain (using pdbedit) and I was able to login on a windows machine(member of the new domain) normally (except that the user account has expired). (old dc domain)# pdbedit -v fred User SID: S-1-5-21-*3914450021-4001743833-916707020*-45772 (new dc domain)# pdbedit -v fred User SID: S-1-5-21-*1365935180-2367880061-2796624718*-45772 The SID really changed. Maybe i can get troubles in the future.> The users password is stored in an hidden attribute which is supposed > to be unreadable, but you can read it on a Samba DC, but it is heavily > encoded. You may be able to obtain some of the users password with > pdbedit, but can you get them all ? >Another way to accomplish this would be by exporting the user NTHASH. And i can do this for all the users: (old dc domain)# pdbedit -w fred fred:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: *A87F3A337D73085C45F9416BE5787D86*:[U ]:LCT-58DBE291: (new dc domain)# pdbedit fred --set-nt-hash *A87F3A337D73085C45F9416BE5787D86* But you will need to create the user before.> If you create a new domain, it will be just that, a new domain and you > will need to join all your machines to it. > > Bearing all this in mind, it will probably be easier to obtain a list > of your users and groups, also get a list of which user > is a member of which group. > Create the new domain, add the users, give them a temporary password > and set the user to change their password at first logon. Add the > groups and reset the group membership. > Email the new password to the users and then one weekend, change over > to the new DC. > > That sounds the best way. Thanks for the clarifications!> Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Andrew Bartlett
2017-Mar-29 19:18 UTC
[Samba] Provision new domain keeping users and passwords
On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote:> The users password is stored in an hidden attribute which is supposed > to be unreadable, but you can read it on a Samba DC, but it is > heavily > encoded. You may be able to obtain some of the users password with > pdbedit, but can you get them all ?To be clear, by design pdbedit can obtain all the unicodePwd values (the NT hash) for users in the domain. For clarity this is the same underlying value as the sambaNTPassword in traditional 'Samba3' domains using LDAP. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba