Web lists-archives.com

Re: [Samba] Fwd: Migrating server




Hi Harry,

When I install slapd , I didn't get the option to use MDB, so used hdb

I went through your suggestions and cleaned up the smb.conf.  Also added
the unixidpool ldif

dn: sambaDomainName=mydomain,dc=mydomain
sambaDomainName: mydomain
sambaSID: S-1-5-21-3936576374-1604348213-1812434911
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
sambaNextRid: 1001
uidNumber: 10000
gidNumber: 10000

When I tried to add a Windows 7 machine to the domain I get " Unknown user
or wrong password". I was using the "sadmin" login who is in the "sudo". I
dumped the user's details into a ldif file and imported it into ldap.  I
see the following in the /var/log/samba/log.win7ldap

 check_ntlm_password:  Checking password for unmapped user
[mydomain]\[sadmin]@[WIN7LDAP] with the new password interface
[2018/03/04 11:04:05.007209,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  mapped user is: [mydomain]\[sadmin]@[WIN7-LDAP]
[2018/03/04 11:04:05.007372,  2] lib/smbldap.c:1018(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2018/03/04 11:04:05.008805,  3] auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'sadmin' in passdb.
[2018/03/04 11:04:05.008857,  5] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: sam authentication for user [sadmin] FAILED with
error NT_STATUS_NO_SUCH_USER
[2018/03/04 11:04:05.008898,  3]
auth/auth_winbind.c:60(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [mydomain]
was for this SAM.
[2018/03/04 11:04:05.008932,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [sadmin] -> [sadmin] FAILED
with error NT_STATUS_NO_SUCH_USER
[2018/03/04 11:04:19.544336,  1] smbd/process.c:457(receive_smb_talloc)
  receive_smb_raw_talloc failed for client 192.168.17.199 read error =
NT_STATUS_CONNECTION_RESET.


After a few retries  it comes up with "The security database is corrupted"
message in Window7

The following in /var/log/syslog

sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not indexed
sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not indexed
sam3dom slapd[2600]: <= bdb_equality_candidates: (uid) not indexed
sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not indexed

[2018/03/04 11:12:23.780636,  0] auth/check_samsec.c:492(check_sam_security)
  check_sam_security: make_server_info_sam() failed with
'NT_STATUS_INTERNAL_DB_CORRUPTION'
[2018/03/04 11:12:23.780675,  5] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: sam authentication for user [sadmin] FAILED with
error NT_STATUS_INTERNAL_DB_CORRUPTION
[2018/03/04 11:12:23.780713,  3]
auth/auth_winbind.c:60(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [mydomain]
was for this SAM.
[2018/03/04 11:12:23.780746,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [sadmin] -> [sadmin] FAILED
with error NT_STATUS_INTERNAL_DB_CORRUPTION
[2018/03/04 11:12:37.544463,  1] smbd/process.c:457(receive_smb_talloc)
  receive_smb_raw_talloc failed for client 192.168.17.199 read error =
NT_STATUS_CONNECTION_RESET.




Any thoughts?










On Sat, Mar 3, 2018 at 4:58 AM, Harry Jede <walk2sun@xxxxxxxx> wrote:

> Hi Rob,
>
> please stay on list. Otherwise I will charge you :-)
>
> By the way I have no problem to get payed.
>
>
>
> > Hi Harry,
>
> >
>
> > The one very obvious difference is the result of this command: #
>
> > ldapsearch -xLLL -b dc=afrika,dc=xx -s sub -D
>
> > cn=admin,dc=afrika,dc=xx -w 'sambadomainname=*'
>
> > dn: sambaDomainName=SCHULE,dc=afrika,dc=xx
>
> >
>
> > I get dn: sambaDomainName=MYDOMAIN, dc=mydomain which is different ,
>
> > should it be MYDOMAIN dc=sam3dc?
>
> I hope you have got the first line, the second will never work:
>
> dn: sambaDomainName=MYDOMAIN,dc=mydomain
>
> dn: sambaDomainName=MYDOMAIN, dc=mydomain
>
>
>
> The difference is just one space. Remember ldap is white space sensitive!!!
>
>
>
> You may get trouble with some dns resolver libs, because you use only one
> "domain component". Search for ndots...
>
> You may also get trouble with certificate name validation for SSL/TLS
> hosts.
>
>
>
> > sambaDomainName: MYDOMAIN
>
> > sambaSID: S-1-5-21-3936576374-1604338294-181246221
>
> > sambaAlgorithmicRidBase: 1000
>
> > objectClass: sambaDomain
>
> I prefer to add here an auxiliary objectclass: sambaUnixIdPool
>
> More later on
>
>
>
> > sambaNextUserRid: 1000
>
> > sambaMinPwdLength: 5
>
> > sambaPwdHistoryLength: 0
>
> > sambaLogonToChgPwd: 0
>
> > sambaMaxPwdAge: -1
>
> > sambaMinPwdAge: 0
>
> > sambaLockoutDuration: 30
>
> > sambaLockoutObservationWindow: 30
>
> > sambaLockoutThreshold: 0
>
> > sambaForceLogoff: -1
>
> > sambaRefuseMachinePwdChange: 0
>
> > sambaNextRid: 1002
>
> >
>
> >
>
> >
>
> >
>
> > ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config
>
> > 'olcAttributeTypes=*' dn
>
> > SASL/EXTERNAL authentication started
>
> > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>
> > SASL SSF: 0
>
> > dn: cn=schema,cn=config
>
> >
>
> > dn: cn={0}core,cn=schema,cn=config
>
> >
>
> > dn: cn={1}cosine,cn=schema,cn=config
>
> >
>
> > dn: cn={2}nis,cn=schema,cn=config
>
> >
>
> > dn: cn={3}inetorgperson,cn=schema,cn=config
>
> >
>
> > dn: cn={4}samba,cn=schema,cn=config
>
> That is the minimum you need. So it is OK.
>
>
>
> >
>
> > ldapsearch -xLLL -s base -b dc=mydomain
>
> > dn: dc=mydomain
>
> > objectClass: top
>
> > objectClass: dcObject
>
> > objectClass: organization
>
> > o: mydomain
>
> > dc: mydomain
>
> OK
>
>
>
> >
>
> >
>
> >
>
> > The one thing I found is that when I tried to add a new Win10 machine
>
> > to the domain, I got wrong password. The login details I entered is
>
> > for a admin account. I then changed the password using smbpasswd and
>
> > then I got the machine was joined with another account error message
>
> OK. But what error message? What command?
>
> Please post the resulting machine account.
>
>
>
> You should first try a win 7 machine. From win 7 to current win 10
>
> the default settings for smb protocol has changed. Thanks to wanna cry.
>
> Maybe "max protocol = NT1" will help. But read man smb.conf section:
>
> client max protocol. Depending on the used clients you should go with
>
> the highest protocol level!!!
>
>
>
> > The other bits are similar to yours. Here is the smb.conf
>
> >
>
> >
>
> > [global]
>
> > workgroup = MYDOMAIN
>
> > bind interfaces only = Yes
>
> > netbios name = sam3DC
>
> > security = USER
>
> > dns forwarder = 8.8.8.8
>
> "dns forwarder" is not required, *but* if you set this entry,
>
> it should point to a local DNS server.
>
> Google is not always the best choice.
>
>
>
> > passdb backend = ldapsam:ldap://127.0.0.1/
>
> > obey pam restrictions = no
>
> That I would change to yes. If yes, pam can create the
>
> home directorys if you add users from windows tools or
>
> samba tools. The user dir is created at first logon.
>
> The template directory is /etc/skel.
>
>
>
> > ldap admin dn = cn=admin,dc=mydomain
>
> > ldap suffix = dc=mydomain
>
> > ldap group suffix = ou=Group
>
> > ldap user suffix = ou=People
>
> > ldap machine suffix = ou=Computers
>
> > ldap idmap suffix = ou=People
>
> > ldap passwd sync = No
>
> > unix password sync = Yes
>
> > passwd program = /usr/sbin/smbldap-passwd -u %u
>
> > passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>
> > ldap ssl= no
>
> >
>
> > encrypt passwords = true
>
> > password server = sam3dc
>
> What sould be the benefit ???
>
> At first you setup this host as a PDC and then you delegate
>
> to an other password server?
>
>
>
> > check password script = /usr/local/sbin/crackcheck -d
>
> > /var/cache/cracklib/cracklib_dict
>
> >
>
> > unix password sync = No
>
> You should add:
>
> ldap passwd sync = yes
>
> pam password change = yes
>
> to sync windows and unix passwords.
>
>
>
> > log level = 10 auth:5
>
> tooooooooooooo high
>
> log level = 1 auth:5
>
> makes more sense
>
>
>
> > syslog = 0
>
> > log file = /var/log/samba/log.%m
>
> > max log size = 1000
>
> >
>
> > socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
>
> > SO_SNDBUF=8192 SO_RCVBUF=8192
>
> Please remove this line. Do not ask me or any other.
>
> Just do it. It is mystic.
>
>
>
> > local master = No
>
> > domain master = No
>
> > preferred master = No
>
> If this host should be a domain controler ( primary or secondary )
>
> change all to yes
>
>
>
> Test it with nmblookup i.e.
>
> # nmblookup SCHULE
>
> querying SCHULE on 127.255.255.255
>
> 10.100.0.1 SCHULE<00>
>
>
>
> # nmblookup -M SCHULE
>
> querying SCHULE on 127.255.255.255
>
> 10.100.0.1 SCHULE<1d>
>
>
>
> # nmblookup ALIX
>
> querying ALIX on 127.255.255.255
>
> 10.100.0.1 ALIX<00>
>
>
>
> # nmblookup -M ALIX
>
> querying ALIX on 127.255.255.255
>
> querying ALIX on 10.100.255.255
>
> name_query failed to find name ALIX#1d
>
>
>
> Where SCHULE is the netbios domain name and
>
> ALIX is the PDC name.
>
>
>
> > invalid users =
>
> > hosts deny = ALL
>
> Fine, you deny all hosts on your network. What are you doing here?
>
>
>
> > load printers = Yes
>
> > printcap name = cups
>
> > printing = cups
>
> > add machine script = /usr/sbin/useradd -d /dev/null -g
>
> > machines -s /bin/false %u
>
> This will *not* add windows hosts to the ldap backend. So do not
>
> expect working windows machines.
>
>
>
> A common script is:
>
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
>
>
>
> > # Logon Options
>
> > logon script = %U.bat
>
> > logon drive = n:
>
> > domain logons = Yes
>
> >
>
> > logon home = \\%L\%u\%a\.profiles
>
> > logon home = \\%L\%U\profile
>
> Overwriting entrys in this way seems bad practice, surely it works.
>
>
>
> > logon path =
>
> >
>
> > # Browse Options
>
> > os level = 65
>
> > preferred master = Yes
>
> > local master = Yes
>
> > domain master = Yes
>
> Fine you will setup the Netbios stuff. Please remove the
>
> other lines. This one wins, because they comes later in this file.
>
>
>
> > # WINS Options
>
> > dns proxy = No
>
> > wins proxy = No
>
> > wins support = Yes
>
> >
>
> >
>
> > # Getting symlinks working for the OCEs
>
> > unix extensions = no
>
> >
>
> > # Audit settings
>
> > full_audit:prefix = %u|%I|%S
>
> > full_audit:failure = none
>
> > full_audit:success = mkdir rmdir read pread write pwrite
>
> > rename unlink
>
> > full_audit:facility = local5
>
> > full_audit:priority = notice
>
> >
>
> > [homes]
>
> > comment = Home Directories
>
> > create mask = 0700
>
> > directory mask = 0700
>
> > browseable = No
>
> > read only = No
>
> > path = %H/samba
>
> unusual, but if it works for you
>
>
>
> > vfs objects = full_audit
>
> you have silently disabled acl handling!
>
> vfs objects = acl_xattr full_audit
>
>
>
> > follow symlinks = yes
>
> risky. Remove it if possible. Otherwise change symlinks to real dirs
>
> and remove then.
>
>
>
>
>
>
>
>
>
> Check if you have a machine account for your server:
>
> # ldapsearch -xLLL 'uid=hostname$'
>
> I assume you have none.
>
>
>
> Now, the unixidpool:
>
>
>
> Add the attached ldif with:
>
> ldapmodify -x -D cn=admin,dc=mydomain -W -f unixidpool.ldif
>
>
>
> check if it is OK
>
> # ldapsearch -xLLL objectclass=sambaunixidpool
>
>
>
> Restart samba and reapply the admin password. This should add the machine
> account:
>
> smbpasswd -w <ldap admin password>
>
>
>
> If the machine account is not their, restart both samba and winbind and
> wait some seconds.
>
>
>
> The next useable uidnumber in smabaDomainName should change from 10000 to
> 10001.
>
> # ldapsearch -xLLL uidnumber=10001
>
> dn: sambaDomainName=SCHULE,dc=afrika,dc=xx
>
> objectClass: top
>
> objectClass: sambaDomain
>
> objectClass: sambaUnixIdPool
>
> sambaDomainName: SCHULE
>
> sambaSID: S-1-5-21-1507708399-2130971284-2230424465
>
> sambaAlgorithmicRidBase: 1000
>
> sambaNextRid: 100000
>
> sambaNextUserRid: 2000
>
> sambaNextGroupRid: 100000
>
> uidNumber: 10001
>
> gidNumber: 2000
>
> sambaPwdHistoryLength: 0
>
> sambaLogonToChgPwd: 0
>
> sambaMaxPwdAge: -1
>
> sambaMinPwdAge: 0
>
> sambaLockoutDuration: 30
>
> sambaLockoutObservationWindow: 30
>
> sambaLockoutThreshold: 0
>
> sambaForceLogoff: -1
>
>
>
> have fun
>
>
>
> # cat unixidpool.ldif
>
> dn: sambaDomainName=MYDOMAIN,dc=mydomain
>
> changetype: modify
>
> add: objectclass
>
> objectclass: sambaUnixIdPool
>
> -
>
> add: uidnumber
>
> uidnumber: 10000
>
> -
>
> add: gidnumber
>
> gidnumber: 10000
>
> -
>
>
>
> --
>
>
>
> Gruss
>
> Harry Jede
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba