Web lists-archives.com

Re: [Samba] Fwd: Migrating server




Hi Gruss,

At this stage there is only one server, running 3.6.25 on Ubuntu12.04. The
plan to get LDAP to work on this one. Then add the second server 4.x and
the promote it to BDC and then demote this one.  Just a side info, we
didn't want to go tdbsam in both as I read it breaks the domain trust.

The domain names are real ones.

I ran the commands you suggested, nothing in reply.  I tried ldapi:// and
ldap://sam3dc.mydomain .

Let me run through what I did ,
/etc/ldap/ldap.conf:
BASE    dc=mydomain
URI     ldap://sam3dc.mydomain
TLS_CACERT /etc/ldap/ca_certs.pem

Imported the samba.ldif from the 3.6.25 binaries.

Imported the indices

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: ou eq
olcDbIndex: mail eq
olcDbIndex: surname eq
olcDbIndex: givenname eq
olcDbIndex: loginShell eq
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
olcDbIndex: nisMapName eq
olcDbIndex: nisMapEntry eq
add: olcAccess
olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write by self
write by * read
olcAccess: to
attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by
dn="cn=admin,dc=mydomain" write by self write by * none

Did the certificates, confirmed working

Added the following
dn: ou=users,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=idmap,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: idmap

dn: ou=computers,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: computers

Added the unixdipool as per your email

cat unixidpool.ldif

dn: sambaDomainName=MYDOMAIN,dc=mydomain

changetype: modify

add: objectclass

objectclass: sambaUnixIdPool

-

add: uidnumber

uidnumber: 10000

-

add: gidnumber

gidnumber: 10000


Then smbpasswd -a '' bit.

Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with entries
from tdb. Then exported the /etc/passwd and /etc/group and imported using
the migration tool scripts

here is smb.conf

workgroup = MYDOMAIN
netbios name = sam3dc
security = USER
obey pam restrictions = Yes
        encrypt passwords = true

        preferred master = Yes
        local master = Yes
        domain master = Yes
        domain logons = yes
max protocol = NT1
map untrusted to domain = Yes
 os level = 65
  time server = yes
  passdb backend = ldapsam
  ldapsam:editposix = yes
  ldapsam:trusted = yes
  ldap admin dn = cn=admin,dc=mydomain
  ldap suffix = dc=mydomain
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  idmap config *: backend = ldap
  idmap config *: range = 10000-19999
  idmap config *: ldap_url = ldap://sam3dc.mydomain/
  idmap config *: ldap_base_dn = ou=idmap,dc=example,dc=com
  idmap config *: ldap_user_dn = cn=admin,dc=example,dc=com
  ldap delete dn = yes
  ldap password sync = yes
  wins support = yes
ldap ssl= no

add user script = /usr/bin/smbldap-useradd -m '%u'
        delete user script = /usr/bin/smbldap-userdel '%u'
        add group script = /usr/bin/smbldap-groupadd -p '%g'
        delete group script = /usr/bin/smbldap-groupdel '%g'
        add user to group script = /usr/bin/smbldap-groupmod -m '%g' '%u'
        delete user from group script = /usr/bin/smbldap-groupmod -x '%g'
'%u'
        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
        set primary group script = /usr/bin/smbldap-usermod -g '%g' '%u'
passwd program = /usr/sbin/smbldap-passwd -u %u

passwd chat = *New*password* %n\n *Retype*new*password* %n\n
check password script = /usr/local/sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict
        add machine script   = /usr/sbin/smbldap-useradd -w "%u"

I then did some tests:
- Reverted smb.conf back to use tdbsam
- Was able to join the win7 machine to the domain, ofcourse
- Removed the win7 machine from the domain
- Changed the smb.conf back to ldapsam
- Changed the  ldapsam:trusted  to no from yes
- I was able to add Win7 machine back to the domain, possibly because the
computer account was already in place
- Then tried to add a new Windows 10 machine , with ldapsam:trusted=yes ,
same issue with db corruption
- Then changed ldapsam:trusted=no, different error message. "The specified
computer account could not be found"
- The following in the samba logs


[2018/03/04 16:37:59.448745,  2]
rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
  Returning domain sid for domain MYDOMAIN ->
S-1-5-21-3936576374-1604348213-1812465911
Use of qw(...) as parentheses is deprecated at /usr/share/perl5/
smbldap_tools.pm line 1423, <DATA> line 522.
Unable to open /etc/smbldap-tools/smbldap.conf for reading !
Compilation failed in require at /usr/sbin/smbldap-useradd line 29.
BEGIN failed--compilation aborted at /usr/sbin/smbldap-useradd line 29.
[2018/03/04 16:37:59.579160,  0]
passdb/pdb_interface.c:476(pdb_default_create_user)
  _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
"win10-split$"' gave 2
[2018/03/04 16:38:12.723642,  4] auth/pampass.c:483(smb_pam_start)
  smb_pam_start: PAM: Init user: tadmin
[2018/03/04 16:38:12.725997,  4] auth/pampass.c:492(smb_pam_start)
  smb_pam_start: PAM: setting rhost to: 192.168.14.191
[2018/03/04 16:38:12.726044,  4] auth/pampass.c:501(smb_pam_start)
  smb_pam_start: PAM: setting tty
[2018/03/04 16:38:12.726080,  4] auth/pampass.c:509(smb_pam_start)
  smb_pam_start: PAM: Init passed for user: tadmin
[2018/03/04 16:38:12.726114,  4]
auth/pampass.c:646(smb_internal_pam_session)
  smb_internal_pam_session: PAM: tty set to: smb/2471/100
[2018/03/04 16:38:12.726451,  4] auth/pampass.c:465(smb_pam_end)
  smb_pam_end: PAM: PAM_END OK.
[2018/03/04 16:38:12.726853,  1] smbd/process.c:457(receive_smb_talloc)
  receive_smb_raw_talloc failed for client 192.168.17.191 read error =
NT_STATUS_CONNECTION_RESET.








On Mon, Mar 5, 2018 at 9:38 PM, Harry Jede <walk2sun@xxxxxxxx> wrote:

> Am Montag, 5. März 2018, 16:51:41 CET schrieb Rob Thoman:
>
> > Hi Harry,
>
> >
>
> > When I install slapd , I didn't get the option to use MDB, so used hdb
>
> OK,
>
> I have reread the thread. Some questions:
>
> Is your old server still running?
>
> Ubuntu, openldap, samba versions on old and new server
>
>
>
> I assume your old server use tdbsam and your new server ldapsam.
>
>
>
> > I went through your suggestions and cleaned up the smb.conf. Also
>
> > added the unixidpool ldif
>
> >
>
> > dn: sambaDomainName=mydomain,dc=mydomain
>
> > sambaDomainName: mydomain
>
> > sambaSID: S-1-5-21-3936576374-1604348213-1812434911
>
> > sambaAlgorithmicRidBase: 1000
>
> > objectClass: sambaDomain
>
> > objectClass: sambaUnixIdPool
>
> > sambaNextUserRid: 1000
>
> > sambaMinPwdLength: 5
>
> > sambaPwdHistoryLength: 0
>
> > sambaLogonToChgPwd: 0
>
> > sambaMaxPwdAge: -1
>
> > sambaMinPwdAge: 0
>
> > sambaLockoutDuration: 30
>
> > sambaLockoutObservationWindow: 30
>
> > sambaLockoutThreshold: 0
>
> > sambaForceLogoff: -1
>
> > sambaRefuseMachinePwdChange: 0
>
> > sambaNextRid: 1001
>
> > uidNumber: 10000
>
> > gidNumber: 10000
>
>
>
> Fine.
>
> Are the names mydomain your real and wished names,
>
> or are they coming from samdb migration?
>
>
>
> >
>
> > When I tried to add a Windows 7 machine to the domain I get " Unknown
>
> > user or wrong password". I was using the "sadmin" login who is in the
>
> > "sudo". I dumped the user's details into a ldif file and imported it
>
> > into ldap. I see the following in the /var/log/samba/log.win7ldap
>
> >
>
> > check_ntlm_password: Checking password for unmapped user
>
> > [mydomain]\[sadmin]@[WIN7LDAP] with the new password interface
>
> > [2018/03/04 11:04:05.007209, 3] auth/auth.c:222(check_ntlm_password)
>
> Indicates that you dont have a valid samba provision. Normal state
>
> after migration. Dont worry, we will fix this.
>
>
>
> ...
>
>
>
> > auth/auth_winbind.c:60(check_winbind_security)
>
> > check_winbind_security: Not using winbind, requested domain
>
> > [mydomain] was for this SAM.
>
> > [2018/03/04 11:04:05.008932, 2] auth/auth.c:319(check_ntlm_password)
>
> > check_ntlm_password: Authentication for user [sadmin] -> [sadmin]
>
> > FAILED with error NT_STATUS_NO_SUCH_USER
>
> As you can see, no winbind operation with a valid admin account,
>
> so no join.
>
>
>
> > After a few retries it comes up with "The security database is
>
> > corrupted" message in Window7
>
> Same as above
>
> > The following in /var/log/syslog
>
> >
>
> > sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not
>
> > indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber)
>
> > not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (uid)
>
> > not indexed sam3dom slapd[2600]: <= bdb_equality_candidates:
>
> > (gidNumber) not indexed
>
> Your ldap db is not well indexed. This gives you bad response times,
>
> but ldap should work.
>
> > [2018/03/04 11:12:23.780636, 0]
>
> > auth/check_samsec.c:492(check_sam_security) check_sam_security:
>
> > make_server_info_sam() failed with
>
> > 'NT_STATUS_INTERNAL_DB_CORRUPTION'
>
> The DB may be corrupt or not. Until you have a valid admin account,
>
> any error is possible.
>
>
>
> >
>
> >
>
> >
>
> >
>
> > Any thoughts?
>
> 1. check your SIDs on both servers
>
> # net getdomainsid
>
> SID for local machine ALIX is: S-1-5-21-1507708399-2130971284-2230424465
>
> SID for domain SCHULE is: S-1-5-21-1507708399-2130971284-2230424465
>
>
>
> 2. Check on your new server some entrys
>
> become root!!
>
> $ sudo su -
>
> # export SID=S-1-5-21-3936576374-1604348213-1812434911
>
>
>
> 2.1 check admin
>
> # ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=mydomain -s sub
> "sambasid=$SID-500" objectclass cn sn uidnumber gidnumber
> sambaPrimaryGroupSID sambaSID 2>/dev/null
>
>
>
> 2.2 check domain admins, users and computers
>
> # for s in 512 513 515 ;do ldapsearch -LLLY EXTERNAL -H ldapi:/// -b
> dc=mydomain -s sub "sambasid=$SID-$s" 2>/dev/null;done
>
>
>
> --
>
>
>
> Gruss
>
> Harry Jede
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba