Jeanderson Soares
2017-Mar-29 17:31 UTC
[Samba] Provision new domain keeping users and passwords
Hi, Rowland. 2017-03-29 11:06 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:> On Wed, 29 Mar 2017 17:30:28 +0400 > Mike Lykov via samba <samba at lists.samba.org> wrote: > > > 29.03.2017 16:52, Santiago Londoño Mejía via samba пишет: > > > Hello, > > > Is this procedure for samba as DC? > > > > I'm in doubt about it, it looks like it for old-style NT Domain... > > Maybe more skiiled people comment it. > > > > I don't think creating a new domain and using the users and passwords > is going to work. > > There are several problems: > > Windows identifies the users etc by the RID, but this is to be found at > the end of the domain SID, so if user 'fred' has the RID 1107 and you > create a new Samba AD domain and create the user 'fred' with the same > RID, this would be a different user 'fred', because the SID would be > different. >I created a user 'fred' in the old DC Domain and exported/imported to the new Domain (using pdbedit) and I was able to login on a windows machine(member of the new domain) normally (except that the user account has expired). (old dc domain)# pdbedit -v fred User SID: S-1-5-21-*3914450021-4001743833-916707020*-45772 (new dc domain)# pdbedit -v fred User SID: S-1-5-21-*1365935180-2367880061-2796624718*-45772 The SID really changed. Maybe i can get troubles in the future.> The users password is stored in an hidden attribute which is supposed > to be unreadable, but you can read it on a Samba DC, but it is heavily > encoded. You may be able to obtain some of the users password with > pdbedit, but can you get them all ? >Another way to accomplish this would be by exporting the user NTHASH. And i can do this for all the users: (old dc domain)# pdbedit -w fred fred:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: *A87F3A337D73085C45F9416BE5787D86*:[U ]:LCT-58DBE291: (new dc domain)# pdbedit fred --set-nt-hash *A87F3A337D73085C45F9416BE5787D86* But you will need to create the user before.> If you create a new domain, it will be just that, a new domain and you > will need to join all your machines to it. > > Bearing all this in mind, it will probably be easier to obtain a list > of your users and groups, also get a list of which user > is a member of which group. > Create the new domain, add the users, give them a temporary password > and set the user to change their password at first logon. Add the > groups and reset the group membership. > Email the new password to the users and then one weekend, change over > to the new DC. > > That sounds the best way. Thanks for the clarifications!> Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
29.03.2017 21:31, Jeanderson Soares via samba пишет:> I created a user 'fred' in the old DC Domain and exported/imported to the > new Domain (using pdbedit) and I was able to login on a windows > machine(member of the new domain) normally (except that the user account > has expired). > > (old dc domain)# pdbedit -v fred > User SID: S-1-5-21-*3914450021-4001743833-916707020*-45772 > > (new dc domain)# pdbedit -v fred > User SID: S-1-5-21-*1365935180-2367880061-2796624718*-45772 > > The SID really changed. Maybe i can get troubles in the future.>> If you create a new domain, it will be just that, a new domain and you >> will need to join all your machines to it.If you can transfer user with password to the new domain as described above, is this method applicable to machine's accounts? What can i do (if i want) export/import machine accounts to the new domain? For example, I have a machine joined to live domain DOM1, and with dns server DOM1.dc.com I change dns to DOM2.dc.com, then import/export machine account to DOM2, (reboot the machine if needed). Is this machine was "joined" to the new domain already? By the way, if I accidently delete the machine account from domain, can i restore it (in samba 4.5), or only rejoin it? -- Mike Lykov, system administrator
Andrew Bartlett
2017-Mar-30 06:09 UTC
[Samba] Provision new domain keeping users and passwords
On Thu, 2017-03-30 at 08:10 +0400, Mike Lykov via samba wrote:> 29.03.2017 21:31, Jeanderson Soares via samba пишет: > > > I created a user 'fred' in the old DC Domain and exported/imported > > to the > > new Domain (using pdbedit) and I was able to login on a windows > > machine(member of the new domain) normally (except that the user > > account > > has expired). > > > > (old dc domain)# pdbedit -v fred > > User SID: S-1-5-21-*3914450021-4001743833-916707020*- > > 45772 > > > > (new dc domain)# pdbedit -v fred > > User SID: S-1-5-21-*1365935180-2367880061-2796624718*- > > 45772 > > > > The SID really changed. Maybe i can get troubles in the future.Yes, it will cause you trouble. You can set the domain SID during the provision, but this illustrates why I don't recommend this approach.> > > > If you create a new domain, it will be just that, a new domain > > > and you > > > will need to join all your machines to it. > > If you can transfer user with password to the new domain as > described > above, is this method applicable to machine's accounts? > > What can i do (if i want) export/import machine accounts to the new > domain? > > For example, I have a machine joined to live domain DOM1, and with > dns > server DOM1.dc.com > > I change dns to DOM2.dc.com, then import/export machine account to > DOM2, > (reboot the machine if needed). Is this machine was "joined" to the > new > domain already?No, a machine is only joined to the same domain name and SID as it started with. Machines should be re-joined (perhaps using remote tools).> By the way, if I accidently delete the machine account from domain, > can > i restore it (in samba 4.5), or only rejoin it?No, you must re-join it. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba