LDAP Synchronization

Hello,

I have been trying to migrate our current Samba3/Openldap system to
Samba 4 with AD...

As there are a lot of services running off ldap at the moment don't
think i can simply run samba3 migrate and switch off the ldap system.
Instead was planning to run both systems side by side for the moment
till can work through all the different applications.  To do this was
trying to construct a synchronization script that replicated data
between the 2 systems.  This is almost working but i am having
difficulty with passwords.

In the ldap system have userPassword(which the unix applications use)
and sambaNTPassword(which samba 3 and i think some other services like
L2TP and PPTP windows clients).  I have been trying to figure if it is
possible to get the 'sambaNTPassword' attribute to work with samba4,
the migrate script seems to do it somehow.  Or is samba 4 using
something different to hash with?

At the moment can only change the password if i have clear text.
Looking at the code it seems to do some kind of switch if the first
character is a " then assumes a plain text password follows otherwise
some kind of hash is assumed.


ie example test program to set and read back password:

#!/usr/bin/env python
import base64
import subprocess

sam_file = "/usr/local/samba/private/sam.ldb"
user_id = "Robert Colquhoun,CN=Users,DC=bleh,DC=example,DC=com,DC=au"
password = "\"Test16062012\""
cmd = """ldbmodify -H %s <<EOF
dn: CN=%s
changetype: modify
replace: unicodePwd
unicodePwd:: %s
EOF
""" % (sam_file, user_id, base64.b64encode((password).encode('utf-16-le')))
print cmd
subprocess.call(cmd, shell=True)
cmd = """ldbsearch -H %s \"(distinguishedName=CN=%s)\" unicodePwd""" %
(sam_file, user_id)
print cmd
subprocess.call(cmd, shell=True)

Running this results in:

# ./testchangepassword.py
ldbmodify -H /usr/local/samba/private/sam.ldb <<EOF
dn: CN=Robert Colquhoun,CN=Users,DC=bleh,DC=example,DC=com,DC=au
changetype: modify
replace: unicodePwd
unicodePwd:: IgBUAGUAcwB0ADEANgAwADYAMgAwADEAMgAiAA==
EOF

Modified 1 records successfully
ldbsearch -H /usr/local/samba/private/sam.ldb
"(distinguishedName=CN=Robert
Colquhoun,CN=Users,DC=bleh,DC=example,DC=com,DC=au)" unicodePwd
# record 1
dn: CN=Robert Colquhoun,CN=Users,DC=bleh,DC=example,DC=com,DC=au
unicodePwd:: GTEj2JYN+k+kPSgieq+njw==
....

ie It has converted my plain text password input into something else,
what exactly? and is it compatible in any way with the previous
'sambaNTPassword' that samba3/ldap systems use?

Thank you in advance for any help with this.

- Robert

Following up my own post:

On Sat, Jun 16, 2012 at 4:36 PM, Robert Colquhoun
<[hidden email]> wrote:
> At the moment can only change the password if i have clear text.
> Looking at the code it seems to do some kind of switch if the first
> character is a " then assumes a plain text password follows otherwise
> some kind of hash is assumed.

> ie It has converted my plain text password input into something else,
> what exactly? and is it compatible in any way with the previous
> 'sambaNTPassword' that samba3/ldap systems use?

The unicodePwd appears to be same hash as for sambaNTPassword in
samba3 ldap just using base 64 encoding rather than direct hex
printing of the value previously.

Cannot seem to set it though by specifying the hash value directly, if
try with ldbmodify of previous example get back:

ERR: (Unwilling to perform) "setup_io: it's not allowed to set the NT
hash password directly'"

Looking at source it seems to want the value
"DSDB_CONTROL_PASSWORD_HASH_VALUES_OID" value enabled somehow, not
sure how to do this.

Thanks for any assistance.

- Robert

On Sun, Jun 17, 2012 at 4:20 PM, Robert Colquhoun
<[hidden email]> wrote:
> Looking at source it seems to want the value
> "DSDB_CONTROL_PASSWORD_HASH_VALUES_OID" value enabled somehow, not
> sure how to do this.

Ok can enable the above with the "--controls" flag to ldpmodify, ie
modifying previous example:

....
sam_file = "/usr/local/samba/private/sam.ldb"
user_dn = "Robert Colquhoun,CN=Users,DC=bleh,DC=example,DC=com,DC=au"
ldap_samba_nt_password = "1234567890ABCDEF1234567890ABCDEF"
b64_hash = base64.b64encode(binascii.a2b_hex(ldap_samba_nt_password))

cmd = """ldbmodify -H %s --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 <<EOF
dn: %s
changetype: modify
replace: unicodePwd
unicodePwd:: %s
EOF
""" % (sam_file, user_dn, b64_hash)

subprocess.call(cmd, shell=True)


...and it sets correctly!

Took all weekend to work out :(  Am guessing i am not supposed to be
doing this kind of operation.

I have also had a handful of other issues getting samba 4 working, are
they supposed to be reported here?

ie Adding users to groups:
# samba-tool group addmembers accounts "User account that doesnt exist"
Added members to group accounts

On Sun, 2012-06-17 at 23:42 +1000, Robert Colquhoun wrote: Thanks for reporting this, it might be useful to me later.  We are also
working on S3/LDAPSAM -> S4 migration.

Please *do* report any issues and work-arounds you encounter.

> ie Adding users to groups:
> # samba-tool group addmembers accounts "User account that doesnt exist"
> Added members to group accounts

 On Wed, Jun 20, 2012 at 6:24 AM, Adam Tauno Williams
<[hidden email]> wrote:
> Please *do* report any issues and work-arounds you encounter.


Had some other issues with ntp(minor), bind and idmap.


Our current environment is Samba 3 & Openldap all on mainly RHEL5 systems

Trying to migrate to RHEL6 with a Samba 4 domain controller with samba
3 file and print servers.

Firstly with ntp i downloaded 4.2.6p5 from ntp.org to replace the
RHEL6 default 4.2.4p5, apart from removing the redhat patches the diff
file for the spec was much simpler than the HOWTO indicated,
basically:

diff ntp.spec.orig ntp.spec
3c3
< Version: 4.2.4p8
---
> Version: 4.2.6p5
218c218
<       --enable-linuxcaps
---
>       --enable-linuxcaps --enable-ntp-signd
327a328
> %{_sbindir}/sntp

DNS was a bit more difficult.  The RHEL6 defaulted to a modified
9.7.0, which didn't work.  Was going to rebuild 9.9 from source, but
was nervous about getting the build right.  Instead as a temporary
measure found a 9.9.0 rpm present in the CentALT repository which i
used and which worked.

Previously all our systems have been installed with bind in a
chroot-ed configuration.  The samba-dlz module didn't really like the
chroot environment.  Basically had to map back a samba internal
directory and the system lib directories:

ie /etc/fstab
/usr/local/samba/lib/ /var/named/chroot/usr/local/samba/lib/  auto bind    0 0
/usr/local/samba/private/ /var/named/chroot/usr/local/samba/private/
auto    bind    0 0
/lib64/ /var/named/chroot/lib64/  auto    bind    0 0
/usr/lib64/ /var/named/chroot/usr/lib64/  auto    bind    0 0

Not sure if should abandon chroot altogether or there is a way to
build the samba-dlz module so that not so much of the machine is
opened up?   Possibly the HOWTO should say something about this, i
think bind in chroot is pretty common, even if the advice is simply
"don't do it".

Just as i write this i notice redhat has updated their repositories to
RHEL6.3 which appears to include bind 9.8.0, not sure if this is
suitable for use with samba 4?

Finally idmap....we have environment with lots of unix applications
which depend on consistent uid and gid mapping for each user and
group.  To get this working first had to write ldbmodify scripts to
fix idmap.ldb so that the entries present in there were consistent
with currently installed Openldap system.  "samba-tool user create"
did not seem to have the ability to manually specify these values when
creating/synchronizing users from the existing openldap system.

Secondly once above was done realized had to create a separate idmap
OU in the current openldap system for samba3 winbind to use on each of
the fileservers.  I am nervous that the different idmap systems
between samba 3, samba 4 and the original openldap(where uid/gid is
stored rfc2307) will become inconsistent and cause problems(ie users
and/or applications will lose access to their files).

 - Robert

On Fri, 2012-06-22 at 17:09 +1000, Robert Colquhoun wrote:

See the new parameter 'idamp_ldb:use rfc237 = yes' so you can use the
uidNumber and gidNumber values in the Samba4 directory.  The new
samba-tool domain classicupgrade populates these during the upgrade.

Patches to allow this to be specified during samba-tool user create are
welcome.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org