samba - Mar 2017 - Provision new domain keeping users and passwords

29.03.2017 16:52, Santiago Londoño Mejía via samba
пишет:
> Hello,
> Is this procedure for samba as DC?
I'm in doubt about it, it looks like it for old-style NT Domain...
Maybe more skiiled people comment it.

> 2017-03-28 23:02 GMT-05:00, Jeanderson Soares via samba <samba at
lists.samba.org>:
>> I was able to do this by exporting and importing users (including
>> passwords) with the pdbedit samba utility.
>>
>> Look at this:
>>
Http://serverfault.com/questions/675938/migrate-samba-users-to-new-server
>> Maybe you need to change the passdb backend
>>
>> 2017-03-28 2:49 GMT-03:00 Mike Lykov via samba <samba at
lists.samba.org>:
>>
>>> 27.03.2017 22:48, Santiago Londoño Mejía via samba пишет:
>>>
>>>> Hello,
>>>>
>>>> I try to add a new dc to my domain, but the sysadmin installed
the
>>>> main dc left misconfigured dns zones that I can not remove.
>>>>
>>>> ¿Is it possible to provision the domain again using new samba
as main
>>>> dc Keeping users and passwords Of the previous dc?
>>>> The current main dc runs samba 4.4.
>>>>
>>>
>>> I am also interested in this task, I have 4.1 old (two) DC with
errors in
>>> dns zones (undeletable items) and planning upgrade to 4.5 or 4.6 .
>>>
>>>
>>> --
>>> Mike Lykov, system administrator
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

-- 
Mike Lykov, system administrator

On Wed, 29 Mar 2017 17:30:28 +0400
Mike Lykov via samba <samba at lists.samba.org> wrote:
> 29.03.2017 16:52, Santiago Londoño Mejía via samba пишет:
> > Hello,
> > Is this procedure for samba as DC?
> 
> I'm in doubt about it, it looks like it for old-style NT Domain...
> Maybe more skiiled people comment it.
> 
I don't think creating a new domain and using the users and passwords
is going to work.

There are several problems:

Windows identifies the users etc by the RID, but this is to be found at
the end of the domain SID, so if user 'fred' has the RID 1107 and you
create a new Samba AD domain and create the user 'fred' with the same
RID, this would be a different user 'fred', because the SID would be
different.

The users password is stored in an hidden attribute which is supposed
to be unreadable, but you can read it on a Samba DC, but it is heavily
encoded. You may be able to obtain some of the users password with
pdbedit, but can you get them all ?

If you create a new domain, it will be just that, a new domain and you
will need to join all your machines to it.

Bearing all this in mind, it will probably be easier to obtain a list
of your users and groups, also get a list of which user
is a member of which group.
Create the new domain, add the users, give them a temporary password
and set the user to change their password at first logon. Add the
groups and reset the group membership.
Email the new password to the users and then one weekend, change over
to the new DC.

Rowland

Hi, Rowland.


2017-03-29 11:06 GMT-03:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Wed, 29 Mar 2017 17:30:28 +0400
> Mike Lykov via samba <samba at lists.samba.org> wrote:
>
> > 29.03.2017 16:52, Santiago Londoño Mejía via samba пишет:
> > > Hello,
> > > Is this procedure for samba as DC?
> >
> > I'm in doubt about it, it looks like it for old-style NT Domain...
> > Maybe more skiiled people comment it.
> >
>
> I don't think creating a new domain and using the users and passwords
> is going to work.
>
> There are several problems:
>
> Windows identifies the users etc by the RID, but this is to be found at
> the end of the domain SID, so if user 'fred' has the RID 1107 and
you
> create a new Samba AD domain and create the user 'fred' with the
same
> RID, this would be a different user 'fred', because the SID would
be
> different.
>
I created a user 'fred' in the old DC Domain and exported/imported to
the
new Domain (using pdbedit) and I was able to login on a windows
machine(member of the new domain)  normally (except that the user account
has expired).

(old dc domain)# pdbedit -v fred
User SID:             S-1-5-21-*3914450021-4001743833-916707020*-45772

(new dc domain)# pdbedit -v fred
User SID:             S-1-5-21-*1365935180-2367880061-2796624718*-45772

The SID really changed. Maybe i can get troubles in the future.

> The users password is stored in an hidden attribute which is supposed
> to be unreadable, but you can read it on a Samba DC, but it is heavily
> encoded. You may be able to obtain some of the users password with
> pdbedit, but can you get them all ?
>
Another way to accomplish this would be by exporting the user NTHASH. And i
can do this for all the users:

(old dc domain)# pdbedit -w fred
fred:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
*A87F3A337D73085C45F9416BE5787D86*:[U          ]:LCT-58DBE291:

(new dc domain)# pdbedit fred --set-nt-hash
*A87F3A337D73085C45F9416BE5787D86*

But you will need to create the user before.

> If you create a new domain, it will be just that, a new domain and you
> will need to join all your machines to it.
>
> Bearing all this in mind, it will probably be easier to obtain a list
> of your users and groups, also get a list of which user
> is a member of which group.
> Create the new domain, add the users, give them a temporary password
> and set the user to change their password at first logon. Add the
> groups and reset the group membership.
> Email the new password to the users and then one weekend, change over
> to the new DC.
>
> That sounds the best way. Thanks for the clarifications!
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba
wrote:
> The users password is stored in an hidden attribute which is supposed
> to be unreadable, but you can read it on a Samba DC, but it is
> heavily
> encoded. You may be able to obtain some of the users password with
> pdbedit, but can you get them all ?
To be clear, by design pdbedit can obtain all the unicodePwd values
(the NT hash) for users in the domain.  For clarity this is the same
underlying value as the sambaNTPassword in traditional 'Samba3' domains
using LDAP.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba