Provision new domain keeping users and passwords

classic Classic list List threaded Threaded
31 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Provision new domain keeping users and passwords

Samba - General mailing list
Hello,

I try to add a new dc to my domain, but the sysadmin installed the
main dc left misconfigured dns zones that I can not remove.

¿Is it possible to provision the domain again using new samba as main
dc Keeping users and passwords Of the previous dc?
The current main dc runs samba 4.4.

Best regards,

Santiago.









--
Santiago Londoño Mejía
Analista de Infraestructura
t. (574) 605 25 23 ext. 1232
m. (57) 3148332567
Medellín | Carrera 50  C #10 Sur  80
Bogotá | Medellín | Cali
www.pragma.com.co

--


Este mensaje es confidencial. Puede contener información privilegiada que pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, directores, empleados y asesores, por tanto no debe ser usado ni divulgado por personas distintas a su destinatario. Si obtiene este mensaje por error, equivocación u omisión, por favor bórrelo y avise al remitente.

Está prohibida su retención, grabación, utilización o divulgación con cualquier propósito.

Este mensaje ha sido sometido a programas antivirus. No obstante, PRAGMA S.A. no asume ninguna responsabilidad por eventuales daños generados por el recibo y uso de este material, siendo responsabilidad del destinatario verificar con sus propios medios la existencia de virus u otros defectos.

Las opiniones, conclusiones y otra información contenida en este correo no relacionadas con el negocio oficial de PRAGMA S.A., deben entenderse como personales y de ninguna manera son avaladas por la Compañía.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
27.03.2017 22:48, Santiago Londoño Mejía via samba пишет:
> Hello,
>
> I try to add a new dc to my domain, but the sysadmin installed the
> main dc left misconfigured dns zones that I can not remove.
>
> ¿Is it possible to provision the domain again using new samba as main
> dc Keeping users and passwords Of the previous dc?
> The current main dc runs samba 4.4.

I am also interested in this task, I have 4.1 old (two) DC with errors
in dns zones (undeletable items) and planning upgrade to 4.5 or 4.6 .


--
Mike Lykov, system administrator

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
I was able to do this by exporting and importing users (including
passwords) with the pdbedit samba utility.

Look at this:
Http://serverfault.com/questions/675938/migrate-samba-users-to-new-server
Maybe you need to change the passdb backend

2017-03-28 2:49 GMT-03:00 Mike Lykov via samba <[hidden email]>:

> 27.03.2017 22:48, Santiago Londoño Mejía via samba пишет:
>
>> Hello,
>>
>> I try to add a new dc to my domain, but the sysadmin installed the
>> main dc left misconfigured dns zones that I can not remove.
>>
>> ¿Is it possible to provision the domain again using new samba as main
>> dc Keeping users and passwords Of the previous dc?
>> The current main dc runs samba 4.4.
>>
>
> I am also interested in this task, I have 4.1 old (two) DC with errors in
> dns zones (undeletable items) and planning upgrade to 4.5 or 4.6 .
>
>
> --
> Mike Lykov, system administrator
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
Hello,
Is this procedure for samba as DC?
Best regards,
Santiago.




2017-03-28 23:02 GMT-05:00, Jeanderson Soares via samba <[hidden email]>:

> I was able to do this by exporting and importing users (including
> passwords) with the pdbedit samba utility.
>
> Look at this:
> Http://serverfault.com/questions/675938/migrate-samba-users-to-new-server
> Maybe you need to change the passdb backend
>
> 2017-03-28 2:49 GMT-03:00 Mike Lykov via samba <[hidden email]>:
>
>> 27.03.2017 22:48, Santiago Londoño Mejía via samba пишет:
>>
>>> Hello,
>>>
>>> I try to add a new dc to my domain, but the sysadmin installed the
>>> main dc left misconfigured dns zones that I can not remove.
>>>
>>> ¿Is it possible to provision the domain again using new samba as main
>>> dc Keeping users and passwords Of the previous dc?
>>> The current main dc runs samba 4.4.
>>>
>>
>> I am also interested in this task, I have 4.1 old (two) DC with errors in
>> dns zones (undeletable items) and planning upgrade to 4.5 or 4.6 .
>>
>>
>> --
>> Mike Lykov, system administrator
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
Santiago Londoño Mejía
Analista de Infraestructura
t. (574) 605 25 23 ext. 1232
m. (57) 3148332567
Medellín | Carrera 50  C #10 Sur  80
Bogotá | Medellín | Cali
www.pragma.com.co

--


Este mensaje es confidencial. Puede contener información privilegiada que pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, directores, empleados y asesores, por tanto no debe ser usado ni divulgado por personas distintas a su destinatario. Si obtiene este mensaje por error, equivocación u omisión, por favor bórrelo y avise al remitente.

Está prohibida su retención, grabación, utilización o divulgación con cualquier propósito.

Este mensaje ha sido sometido a programas antivirus. No obstante, PRAGMA S.A. no asume ninguna responsabilidad por eventuales daños generados por el recibo y uso de este material, siendo responsabilidad del destinatario verificar con sus propios medios la existencia de virus u otros defectos.

Las opiniones, conclusiones y otra información contenida en este correo no relacionadas con el negocio oficial de PRAGMA S.A., deben entenderse como personales y de ninguna manera son avaladas por la Compañía.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
29.03.2017 16:52, Santiago Londoño Mejía via samba пишет:
> Hello,
> Is this procedure for samba as DC?

I'm in doubt about it, it looks like it for old-style NT Domain...
Maybe more skiiled people comment it.


> 2017-03-28 23:02 GMT-05:00, Jeanderson Soares via samba <[hidden email]>:
>> I was able to do this by exporting and importing users (including
>> passwords) with the pdbedit samba utility.
>>
>> Look at this:
>> Http://serverfault.com/questions/675938/migrate-samba-users-to-new-server
>> Maybe you need to change the passdb backend
>>
>> 2017-03-28 2:49 GMT-03:00 Mike Lykov via samba <[hidden email]>:
>>
>>> 27.03.2017 22:48, Santiago Londoño Mejía via samba пишет:
>>>
>>>> Hello,
>>>>
>>>> I try to add a new dc to my domain, but the sysadmin installed the
>>>> main dc left misconfigured dns zones that I can not remove.
>>>>
>>>> ¿Is it possible to provision the domain again using new samba as main
>>>> dc Keeping users and passwords Of the previous dc?
>>>> The current main dc runs samba 4.4.
>>>>
>>>
>>> I am also interested in this task, I have 4.1 old (two) DC with errors in
>>> dns zones (undeletable items) and planning upgrade to 4.5 or 4.6 .
>>>
>>>
>>> --
>>> Mike Lykov, system administrator
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>


--
Mike Lykov, system administrator

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
In reply to this post by Samba - General mailing list
Yes, but for DC you should use tdbsam instead of smbpasswd in the "-e" and'
"-i" parameters.

After that, I had some problems with the RIDs when creating new users, and
had to manually change the ridnextrid attribute.


Em 29 de mar de 2017 9:52 AM, "Santiago Londoño Mejía" <
[hidden email]> escreveu:

> Hello,
> Is this procedure for samba as DC?
> Best regards,
> Santiago.
>
>
>
>
> 2017-03-28 23:02 GMT-05:00, Jeanderson Soares via samba <
> [hidden email]>:
> > I was able to do this by exporting and importing users (including
> > passwords) with the pdbedit samba utility.
> >
> > Look at this:
> > Http://serverfault.com/questions/675938/migrate-
> samba-users-to-new-server
> > Maybe you need to change the passdb backend
> >
> > 2017-03-28 2:49 GMT-03:00 Mike Lykov via samba <[hidden email]>:
> >
> >> 27.03.2017 22:48, Santiago Londoño Mejía via samba пишет:
> >>
> >>> Hello,
> >>>
> >>> I try to add a new dc to my domain, but the sysadmin installed the
> >>> main dc left misconfigured dns zones that I can not remove.
> >>>
> >>> ¿Is it possible to provision the domain again using new samba as main
> >>> dc Keeping users and passwords Of the previous dc?
> >>> The current main dc runs samba 4.4.
> >>>
> >>
> >> I am also interested in this task, I have 4.1 old (two) DC with errors
> in
> >> dns zones (undeletable items) and planning upgrade to 4.5 or 4.6 .
> >>
> >>
> >> --
> >> Mike Lykov, system administrator
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> Santiago Londoño Mejía
> Analista de Infraestructura
> t. (574) 605 25 23 ext. 1232
> m. (57) 3148332567
> Medellín | Carrera 50  C #10 Sur  80
> Bogotá | Medellín | Cali
> www.pragma.com.co
>
> --
>
>
> Este mensaje es confidencial. Puede contener información privilegiada que
> pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, directores,
> empleados y asesores, por tanto no debe ser usado ni divulgado por personas
> distintas a su destinatario. Si obtiene este mensaje por error,
> equivocación u omisión, por favor bórrelo y avise al remitente.
>
> Está prohibida su retención, grabación, utilización o divulgación con
> cualquier propósito.
>
> Este mensaje ha sido sometido a programas antivirus. No obstante, PRAGMA
> S.A. no asume ninguna responsabilidad por eventuales daños generados por el
> recibo y uso de este material, siendo responsabilidad del destinatario
> verificar con sus propios medios la existencia de virus u otros defectos.
>
> Las opiniones, conclusiones y otra información contenida en este correo no
> relacionadas con el negocio oficial de PRAGMA S.A., deben entenderse como
> personales y de ninguna manera son avaladas por la Compañía.
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 29 Mar 2017 17:30:28 +0400
Mike Lykov via samba <[hidden email]> wrote:

> 29.03.2017 16:52, Santiago Londoño Mejía via samba пишет:
> > Hello,
> > Is this procedure for samba as DC?
>
> I'm in doubt about it, it looks like it for old-style NT Domain...
> Maybe more skiiled people comment it.
>

I don't think creating a new domain and using the users and passwords
is going to work.

There are several problems:

Windows identifies the users etc by the RID, but this is to be found at
the end of the domain SID, so if user 'fred' has the RID 1107 and you
create a new Samba AD domain and create the user 'fred' with the same
RID, this would be a different user 'fred', because the SID would be
different.

The users password is stored in an hidden attribute which is supposed
to be unreadable, but you can read it on a Samba DC, but it is heavily
encoded. You may be able to obtain some of the users password with
pdbedit, but can you get them all ?

If you create a new domain, it will be just that, a new domain and you
will need to join all your machines to it.

Bearing all this in mind, it will probably be easier to obtain a list
of your users and groups, also get a list of which user
is a member of which group.
Create the new domain, add the users, give them a temporary password
and set the user to change their password at first logon. Add the
groups and reset the group membership.
Email the new password to the users and then one weekend, change over
to the new DC.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords (mike)

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai Mike,

Are you running samba internal DNS or bind9_DLZ.

In your case, can you give an example of "undeletable" item?
And did you check the rights on the dns object before trying to remove it.


Greetz,

Louis




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords (Santiago)

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Santiago,

Same for you?
Are you running samba internal DNS or bind9_DLZ?

Can you explain a bit more about this?


I know the sitiuantion to have problems with zones, and i may know a way to get around it.
At least i did fix something like this about 2 years ago with samba 4.1.x and bind9_dlz.


Greetz,

Louis



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords (Santiago)

Samba - General mailing list
Hai Santiago,

 

Your welkom, i hope i can help you out.

 

Post my your bind9 configuration, you can anonimize it if needed,

but dont remove any lines from it.

 

And i need a snap of the log when bind is starting up.

Like this one :

Mar 29 16:42:58 dc1 named[21921]: starting BIND 9.9.5-9+deb8u10-Debian -f -u bind

Mar 29 16:42:58 dc1 named[21921]: built with '?pr.... etc. . 

Mar 29 16:42:58 dc1 named[21921]: ---bla bla.....

..... and from this point is what i really want.

 

Mar 29 16:42:58 dc1 named[21921]: using up to 4096 sockets

Mar 29 16:42:58 dc1 named[21921]: loading configuration from '/etc/bind/named.conf'

Mar 29 16:42:58 dc1 named[21921]: reading built-in trusted keys from file '/etc/bind/bind.keys'

Mar 29 16:42:58 dc1 named[21921]: using default UDP/IPv4 port range: [1024, 65535]

Mar 29 16:42:58 dc1 named[21921]: using default UDP/IPv6 port range: [1024, 65535]

Mar 29 16:42:58 dc1 named[21921]: listening on IPv4 interface lo, 127.0.0.1#53

Mar 29 16:42:58 dc1 named[21921]: listening on IPv4 interface eth0, 192.168.1.1#53

Mar 29 16:42:58 dc1 named[21921]: generating session key for dynamic DNS

Mar 29 16:42:58 dc1 named[21921]: sizing zone task pool based on 5 zones

Mar 29 16:42:58 dc1 named[21921]: Loading 'AD DNS Zone' using driver dlopen

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: started for DN DC=officemain,DC=domain,DC=tld

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: starting configure

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '1.168.192.in-addr.arpa'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '0.1.10.in-addr.arpa'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '1.2.10.in-addr.arpa'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '2.3.10.in-addr.arpa'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '3.4.10.in-addr.arpa'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '4.5.10.in-addr.arpa'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'officemain.domain.tld'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'office1.domain.tld'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'office2.domain.tld'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'office3.domain.tld'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'office4.domain.tld'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'office5.domain.tld'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone 'domain.tld'

Mar 29 16:42:58 dc1 named[21921]: samba_dlz: configured writeable zone '_msdcs.officemain.domain.tld'

Mar 29 16:42:58 dc1 named[21921]: set up managed keys zone for view _default, file 'managed-keys.bind'

Mar 29 16:42:58 dc1 named[21921]: command channel listening on 127.0.0.1#953

Mar 29 16:42:58 dc1 named[21921]: managed-keys-zone: loaded serial 715

Mar 29 16:42:58 dc1 named[21921]: zone 0.in-addr.arpa/IN: loaded serial 1

Mar 29 16:42:58 dc1 named[21921]: zone localhost/IN: loaded serial 2

Mar 29 16:42:58 dc1 named[21921]: zone 127.in-addr.arpa/IN: loaded serial 1

Mar 29 16:42:58 dc1 named[21921]: zone 255.in-addr.arpa/IN: loaded serial 1

Mar 29 16:42:58 dc1 named[21921]: all zones loaded

Mar 29 16:42:58 dc1 named[21921]: running

 

 

> -----Oorspronkelijk bericht-----

> Van: Santiago Londoño Mejía [mailto:[hidden email]]

> Verzonden: woensdag 29 maart 2017 16:33

> Aan: L.P.H. van Belle

> Onderwerp: Re: [Samba] Provision new domain keeping users and passwords

> (Santiago)

>

> Hello,

> backend: bind9_DLZ

>

> deleting  zone WASPRUEBAS.PROTECCION.COM.CO

>

> ./samba-tool dns zonedelete neptuno waspruebas.proteccion.com.co

> ERROR(runtime): uncaught exception - (9717,

> 'WERR_DNS_ERROR_DS_UNAVAILABLE')

>   File "/usr/local/samba/lib64/python2.7/site-

> packages/samba/netcmd/__init__.py",

> line 175, in _run

>     return self.run(*args, **kwargs)

>   File "/usr/local/samba/lib64/python2.7/site-

> packages/samba/netcmd/dns.py",

> line 925, in run

>     None)

>

> Thank you very much for your response

> Best regards,

>

> Santiago.

>

>

>

>

>

>

>

>

> 2017-03-29 9:17 GMT-05:00, L.P.H. van Belle via samba

> <[hidden email]>:

> > Hi Santiago,

> >

> > Same for you?

> > Are you running samba internal DNS or bind9_DLZ?

> >

> > Can you explain a bit more about this?

> >

> >

> > I know the sitiuantion to have problems with zones, and i may know a way

> to

> > get around it.

> > At least i did fix something like this about 2 years ago with samba

> 4.1.x

> > and bind9_dlz.

> >

> >

> > Greetz,

> >

> > Louis

> >

> >

> >

> > --

> > To unsubscribe from this list go to the following URL and read the

> > instructions:  https://lists.samba.org/mailman/options/samba

> >

>

>

> --

> Santiago Londoño Mejía

> Analista de Infraestructura

> t. (574) 605 25 23 ext. 1232

> m. (57) 3148332567

> Medellín | Carrera 50  C #10 Sur  80

> Bogotá | Medellín | Cali

> www.pragma.com.co

>

> --

>

>

> Este mensaje es confidencial. Puede contener información privilegiada que

> pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, directores,

> empleados y asesores, por tanto no debe ser usado ni divulgado por

> personas distintas a su destinatario. Si obtiene este mensaje por error,

> equivocación u omisión, por favor bórrelo y avise al remitente.

>

> Está prohibida su retención, grabación, utilización o divulgación con

> cualquier propósito.

>

> Este mensaje ha sido sometido a programas antivirus. No obstante, PRAGMA

> S.A. no asume ninguna responsabilidad por eventuales daños generados por

> el recibo y uso de este material, siendo responsabilidad del destinatario

> verificar con sus propios medios la existencia de virus u otros defectos.

>

> Las opiniones, conclusiones y otra información contenida en este correo no

> relacionadas con el negocio oficial de PRAGMA S.A., deben entenderse como

> personales y de ninguna manera son avaladas por la Compañía.

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi, Rowland.


2017-03-29 11:06 GMT-03:00 Rowland Penny via samba <[hidden email]>:

> On Wed, 29 Mar 2017 17:30:28 +0400
> Mike Lykov via samba <[hidden email]> wrote:
>
> > 29.03.2017 16:52, Santiago Londoño Mejía via samba пишет:
> > > Hello,
> > > Is this procedure for samba as DC?
> >
> > I'm in doubt about it, it looks like it for old-style NT Domain...
> > Maybe more skiiled people comment it.
> >
>
> I don't think creating a new domain and using the users and passwords
> is going to work.
>
> There are several problems:
>
> Windows identifies the users etc by the RID, but this is to be found at
> the end of the domain SID, so if user 'fred' has the RID 1107 and you
> create a new Samba AD domain and create the user 'fred' with the same
> RID, this would be a different user 'fred', because the SID would be
> different.
>

I created a user 'fred' in the old DC Domain and exported/imported to the
new Domain (using pdbedit) and I was able to login on a windows
machine(member of the new domain)  normally (except that the user account
has expired).

(old dc domain)# pdbedit -v fred
User SID:             S-1-5-21-*3914450021-4001743833-916707020*-45772

(new dc domain)# pdbedit -v fred
User SID:             S-1-5-21-*1365935180-2367880061-2796624718*-45772

The SID really changed. Maybe i can get troubles in the future.


> The users password is stored in an hidden attribute which is supposed
> to be unreadable, but you can read it on a Samba DC, but it is heavily
> encoded. You may be able to obtain some of the users password with
> pdbedit, but can you get them all ?
>

Another way to accomplish this would be by exporting the user NTHASH. And i
can do this for all the users:

(old dc domain)# pdbedit -w fred
fred:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
*A87F3A337D73085C45F9416BE5787D86*:[U          ]:LCT-58DBE291:

(new dc domain)# pdbedit fred --set-nt-hash
*A87F3A337D73085C45F9416BE5787D86*

But you will need to create the user before.


> If you create a new domain, it will be just that, a new domain and you
> will need to join all your machines to it.
>
> Bearing all this in mind, it will probably be easier to obtain a list
> of your users and groups, also get a list of which user
> is a member of which group.
> Create the new domain, add the users, give them a temporary password
> and set the user to change their password at first logon. Add the
> groups and reset the group membership.
> Email the new password to the users and then one weekend, change over
> to the new DC.
>
> That sounds the best way. Thanks for the clarifications!


> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

"a misconfigured DNS zone" (was: Re: Provision new domain keeping users and passwords)

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 2017-03-27 at 13:48 -0500, Santiago Londoño Mejía via samba
wrote:
> Hello,
>
> I try to add a new dc to my domain, but the sysadmin installed the
> main dc left misconfigured dns zones that I can not remove.

Can you give some more details on this?  It would still seem less
disruptive to sort out whatever is wrong with DNS.

> ¿Is it possible to provision the domain again using new samba as main
> dc Keeping users and passwords Of the previous dc?
> The current main dc runs samba 4.4.

The closest we have is the 'upgradeprovision' tool, which tried to do
that:  create a new domain with most of the changed objects of an old
domain.  However it never made it to production quality, and isn't
something we emphsize.

The challenge is that you really want to keep much more than the users
and passwords, you really also want to keep SIDs and preferably also
GUIDs.

Andrew Bartlett

> Best regards,
>
> Santiago.
>
>
>
>
>
>
>
>
>
> -- 
> Santiago Londoño Mejía
> Analista de Infraestructura
> t. (574) 605 25 23 ext. 1232
> m. (57) 3148332567
> Medellín | Carrera 50  C #10 Sur  80
> Bogotá | Medellín | Cali
> www.pragma.com.co
>
> -- 
>
>
> Este mensaje es confidencial. Puede contener información privilegiada
> que pertenece a PRAGMA S.A. y/o a sus clientes, contratistas,
> directores, empleados y asesores, por tanto no debe ser usado ni
> divulgado por personas distintas a su destinatario. Si obtiene este
> mensaje por error, equivocación u omisión, por favor bórrelo y avise
> al remitente.
>
> Está prohibida su retención, grabación, utilización o divulgación con
> cualquier propósito.
>
> Este mensaje ha sido sometido a programas antivirus. No obstante,
> PRAGMA S.A. no asume ninguna responsabilidad por eventuales daños
> generados por el recibo y uso de este material, siendo
> responsabilidad del destinatario verificar con sus propios medios la
> existencia de virus u otros defectos.
>
> Las opiniones, conclusiones y otra información contenida en este
> correo no relacionadas con el negocio oficial de PRAGMA S.A., deben
> entenderse como personales y de ninguna manera son avaladas por la
> Compañía.
>
>
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 2017-03-29 at 10:50 -0300, Jeanderson Soares via samba wrote:
> Yes, but for DC you should use tdbsam instead of smbpasswd in the "-
> e" and'
> "-i" parameters.
>
> After that, I had some problems with the RIDs when creating new
> users, and
> had to manually change the ridnextrid attribute.

Indeed, this is the biggest risk I would see with this approach.

The latest Samba 4.5 has some more protections against this:  If you
run dbcheck after this 'migration' it will try and correctly reset the
ridnextrid values.

You will also loose the AES kerberos keys.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: "a misconfigured DNS zone" (was: Re: Provision new domain keeping users and passwords)

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hello,
named log:
Mar 29 10:31:00 neptuno named[32096]: sizing zone task pool based on 6 zones
Mar 29 10:31:00 neptuno named[32096]: Loading 'AD DNS Zone' using driver dlopen
Mar 29 10:31:00 neptuno named[32096]: samba_dlz: started for DN
DC=pragma,DC=com,DC=co
Mar 29 10:31:00 neptuno named[32096]: samba_dlz: starting configure
Mar 29 10:31:00 neptuno named[32096]: samba_dlz: configured writeable
zone 'waspruebas.proteccion.com.co'
Mar 29 10:31:00 neptuno named[32096]: samba_dlz: configured writeable
zone 'segdllo02.suranet.com'
Mar 29 10:31:00 neptuno named[32096]: zone dbmed04.pragma.com.co/NONE:
has no NS records
Mar 29 10:31:00 neptuno named[32096]: samba_dlz: Failed to configure
zone 'dbmed04.pragma.com.co'
Mar 29 10:31:00 neptuno named[32096]: loading configuration: bad zone
Mar 29 10:31:00 neptuno named[32096]: exiting (due to fatal error)

When I try to delete the zone get the following error:
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/dns.py",
line 925, in run
    None)

Thank you very much for your reply.

Best regards,

Santiago.


2017-03-29 13:42 GMT-05:00, Andrew Bartlett via samba <[hidden email]>:

> On Mon, 2017-03-27 at 13:48 -0500, Santiago Londoño Mejía via samba
> wrote:
>> Hello,
>>
>> I try to add a new dc to my domain, but the sysadmin installed the
>> main dc left misconfigured dns zones that I can not remove.
>
> Can you give some more details on this?  It would still seem less
> disruptive to sort out whatever is wrong with DNS.
>
>> ¿Is it possible to provision the domain again using new samba as main
>> dc Keeping users and passwords Of the previous dc?
>> The current main dc runs samba 4.4.
>
> The closest we have is the 'upgradeprovision' tool, which tried to do
> that:  create a new domain with most of the changed objects of an old
> domain.  However it never made it to production quality, and isn't
> something we emphsize.
>
> The challenge is that you really want to keep much more than the users
> and passwords, you really also want to keep SIDs and preferably also
> GUIDs.
>
> Andrew Bartlett
>
>> Best regards,
>>
>> Santiago.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Santiago Londoño Mejía
>> Analista de Infraestructura
>> t. (574) 605 25 23 ext. 1232
>> m. (57) 3148332567
>> Medellín | Carrera 50  C #10 Sur  80
>> Bogotá | Medellín | Cali
>> www.pragma.com.co
>>
>> --
>>
>>
>> Este mensaje es confidencial. Puede contener información privilegiada
>> que pertenece a PRAGMA S.A. y/o a sus clientes, contratistas,
>> directores, empleados y asesores, por tanto no debe ser usado ni
>> divulgado por personas distintas a su destinatario. Si obtiene este
>> mensaje por error, equivocación u omisión, por favor bórrelo y avise
>> al remitente.
>>
>> Está prohibida su retención, grabación, utilización o divulgación con
>> cualquier propósito.
>>
>> Este mensaje ha sido sometido a programas antivirus. No obstante,
>> PRAGMA S.A. no asume ninguna responsabilidad por eventuales daños
>> generados por el recibo y uso de este material, siendo
>> responsabilidad del destinatario verificar con sus propios medios la
>> existencia de virus u otros defectos.
>>
>> Las opiniones, conclusiones y otra información contenida en este
>> correo no relacionadas con el negocio oficial de PRAGMA S.A., deben
>> entenderse como personales y de ninguna manera son avaladas por la
>> Compañía.
>>
>>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
Santiago Londoño Mejía
Analista de Infraestructura
t. (574) 605 25 23 ext. 1232
m. (57) 3148332567
Medellín | Carrera 50  C #10 Sur  80
Bogotá | Medellín | Cali
www.pragma.com.co

--


Este mensaje es confidencial. Puede contener información privilegiada que pertenece a PRAGMA S.A. y/o a sus clientes, contratistas, directores, empleados y asesores, por tanto no debe ser usado ni divulgado por personas distintas a su destinatario. Si obtiene este mensaje por error, equivocación u omisión, por favor bórrelo y avise al remitente.

Está prohibida su retención, grabación, utilización o divulgación con cualquier propósito.

Este mensaje ha sido sometido a programas antivirus. No obstante, PRAGMA S.A. no asume ninguna responsabilidad por eventuales daños generados por el recibo y uso de este material, siendo responsabilidad del destinatario verificar con sus propios medios la existencia de virus u otros defectos.

Las opiniones, conclusiones y otra información contenida en este correo no relacionadas con el negocio oficial de PRAGMA S.A., deben entenderse como personales y de ninguna manera son avaladas por la Compañía.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote:
> The users password is stored in an hidden attribute which is supposed
> to be unreadable, but you can read it on a Samba DC, but it is
> heavily
> encoded. You may be able to obtain some of the users password with
> pdbedit, but can you get them all ?

To be clear, by design pdbedit can obtain all the unicodePwd values
(the NT hash) for users in the domain.  For clarity this is the same
underlying value as the sambaNTPassword in traditional 'Samba3' domains
using LDAP.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
On Thu, 30 Mar 2017 08:18:30 +1300
Andrew Bartlett <[hidden email]> wrote:

> On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote:
> > The users password is stored in an hidden attribute which is
> > supposed to be unreadable, but you can read it on a Samba DC, but
> > it is heavily
> > encoded. You may be able to obtain some of the users password with
> > pdbedit, but can you get them all ?
>
> To be clear, by design pdbedit can obtain all the unicodePwd values
> (the NT hash) for users in the domain.  For clarity this is the same
> underlying value as the sambaNTPassword in traditional 'Samba3'
> domains using LDAP.
>
> Andrew Bartlett
>

Yes, but will all the AD users be in the pdbedit database ?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
2017-03-29 16:42 GMT-03:00 Rowland Penny via samba <[hidden email]>:

> On Thu, 30 Mar 2017 08:18:30 +1300
> Andrew Bartlett <[hidden email]> wrote:
>
> > On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote:
> > > The users password is stored in an hidden attribute which is
> > > supposed to be unreadable, but you can read it on a Samba DC, but
> > > it is heavily
> > > encoded. You may be able to obtain some of the users password with
> > > pdbedit, but can you get them all ?
> >
> > To be clear, by design pdbedit can obtain all the unicodePwd values
> > (the NT hash) for users in the domain.  For clarity this is the same
> > underlying value as the sambaNTPassword in traditional 'Samba3'
> > domains using LDAP.
> >
> > Andrew Bartlett
> >
>
> Yes, but will all the AD users be in the pdbedit database ?
>
> # pdbedit -L | wc -l
48064
# samba-tool user list | wc -l
48033

It's giving me more!


> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 2017-03-29 at 20:42 +0100, Rowland Penny wrote:

> On Thu, 30 Mar 2017 08:18:30 +1300
> Andrew Bartlett <[hidden email]> wrote:
>
> > On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote:
> > > The users password is stored in an hidden attribute which is
> > > supposed to be unreadable, but you can read it on a Samba DC, but
> > > it is heavily
> > > encoded. You may be able to obtain some of the users password
> > > with
> > > pdbedit, but can you get them all ?
> >
> > To be clear, by design pdbedit can obtain all the unicodePwd values
> > (the NT hash) for users in the domain.  For clarity this is the
> > same
> > underlying value as the sambaNTPassword in traditional 'Samba3'
> > domains using LDAP.
> >
> > Andrew Bartlett
> >
>
> Yes, but will all the AD users be in the pdbedit database ?

Yes, pdbedit on an AD DC is a full view of the sam.ldb database.

Andrew Bartlett

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 2017-03-29 at 18:18 -0300, Jeanderson Soares wrote:

>
>
> 2017-03-29 16:42 GMT-03:00 Rowland Penny via samba <[hidden email]
> .org>:
> > On Thu, 30 Mar 2017 08:18:30 +1300
> > Andrew Bartlett <[hidden email]> wrote:
> >
> > > On Wed, 2017-03-29 at 15:06 +0100, Rowland Penny via samba wrote:
> > > > The users password is stored in an hidden attribute which is
> > > > supposed to be unreadable, but you can read it on a Samba DC,
> > but
> > > > it is heavily
> > > > encoded. You may be able to obtain some of the users password
> > with
> > > > pdbedit, but can you get them all ?
> > >
> > > To be clear, by design pdbedit can obtain all the unicodePwd
> > values
> > > (the NT hash) for users in the domain.  For clarity this is the
> > same
> > > underlying value as the sambaNTPassword in traditional 'Samba3'
> > > domains using LDAP.
> > >
> > > Andrew Bartlett
> > >
> >
> > Yes, but will all the AD users be in the pdbedit database ?
> >
>
> # pdbedit -L | wc -l
> 48064
> # samba-tool user list | wc -l
> 48033
>
> It's giving me more!

samba-tool user list omits machine and trust accounts, pdbedit shows
the whole set of accounts.

Thanks,

Andrew Bartlett


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Provision new domain keeping users and passwords

Samba - General mailing list
In reply to this post by Samba - General mailing list
29.03.2017 21:31, Jeanderson Soares via samba пишет:

> I created a user 'fred' in the old DC Domain and exported/imported to the
> new Domain (using pdbedit) and I was able to login on a windows
> machine(member of the new domain)  normally (except that the user account
> has expired).
>
> (old dc domain)# pdbedit -v fred
> User SID:             S-1-5-21-*3914450021-4001743833-916707020*-45772
>
> (new dc domain)# pdbedit -v fred
> User SID:             S-1-5-21-*1365935180-2367880061-2796624718*-45772
>
> The SID really changed. Maybe i can get troubles in the future.


>> If you create a new domain, it will be just that, a new domain and you
>> will need to join all your machines to it.

If you can transfer user with password to the new domain as described
above, is this method applicable to machine's accounts?

What can i do (if i want) export/import machine accounts to the new domain?

For example, I have a machine joined to live domain DOM1, and with dns
server DOM1.dc.com

I change dns to DOM2.dc.com, then import/export machine account to DOM2,
(reboot the machine if needed). Is this machine was "joined" to the new
domain already?

By the way, if I accidently delete the machine account from domain, can
i restore it (in samba 4.5), or only rejoin it?


--
Mike Lykov, system administrator

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12
Loading...