Quantcast

Samba4 objectSid, and Samba 3 migration.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba4 objectSid, and Samba 3 migration.

William E Jojo


Hello all,

I'm preparing several patches for myldap-pub.py.

In particular, I'm working on the sambaSID_to_objectSid function which doesn't seem to encode the SID properly - it remains a string, but the provisioned administrator user is definitely base64 encoded binary.

I looked at the http://freeipa.org/page/Samba_4_SID_Allocation_using_DNA_Plugin
stuff, but the identifier authority is greater than 6 bytes and the subauthorities look greater than 4 since the binary SID value is 48 bytes, if I did my base64 decoding properly.

My questions are:

1) What is the identifier authority size?
2) What is the subauthority size?
3) Is this stored in little endian?
4) Is there C/Python code that could lead me in the right direction?


Finally, if the objectSid is encoded properly and the unicodePwd is stored as the base64 NT hash, there only seems to be an issue with the Kerberos pre-init when using users from Samba3 imported into Samba4 using something like:

ldbadd -H ldap://localhost -x --nosync --verbose --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 ~/test.ldif

Or should the above be modified?

It seems to me that there may be an issue on adding users (as above) with ldbadd (because I could NOT login to Windows 7) since the following are missing:

nTSecurityDescriptor
supplementalCredentials
replPropertyMetaData


However, when I tried creating a user from Windows 7, joined to Samba4 using the Active Directory Users and Computers, I then did a ldbmodify with the unicodePwd from myldap-pub.py and IT WORKED! I could login to Windows 7! But my RID was not the one from Samba3. Our domain SID was perfect from the provision script.

I feel I am very close to being able to create the users in Samba4 that I have in Samba3 either by importing the LDIF from myldap-pub.py with some modifications or, at the very least, create the users in Samba 4 and then run ldbmodifies to change the base64 encoded password and SID.

Then I would have my user SAM migrated enough to survive not having to change permissions and ownership on MILLIONS of files spread across several NetApp devices and a Samba3 server.


What do you think? What pieces am I missing or not understanding?


Cheers,
Bill
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 objectSid, and Samba 3 migration.

Stefan (metze) Metzmacher
Hi Bill,

> I'm preparing several patches for myldap-pub.py.
>
> In particular, I'm working on the sambaSID_to_objectSid function which doesn't seem to encode the SID properly - it remains a string, but the provisioned administrator user is definitely base64 encoded binary.
>
> I looked at the http://freeipa.org/page/Samba_4_SID_Allocation_using_DNA_Plugin
> stuff, but the identifier authority is greater than 6 bytes and the subauthorities look greater than 4 since the binary SID value is 48 bytes, if I did my base64 decoding properly.
>
> My questions are:
>
> 1) What is the identifier authority size?
> 2) What is the subauthority size?
> 3) Is this stored in little endian?
> 4) Is there C/Python code that could lead me in the right direction?
>
The ldbadd does this for you.

> Finally, if the objectSid is encoded properly and the unicodePwd is stored as the base64 NT hash, there only seems to be an issue with the Kerberos pre-init when using users from Samba3 imported into Samba4 using something like:
>
> ldbadd -H ldap://localhost -x --nosync --verbose --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 ~/test.ldif
>
> Or should the above be modified?
>
> It seems to me that there may be an issue on adding users (as above) with ldbadd (because I could NOT login to Windows 7) since the following are missing:
>
> nTSecurityDescriptor

are you really sure this is missing in the resulting db?

> supplementalCredentials

That's not created as we don't have the plaintext password to
generate the kerberos and digest hashes.

> replPropertyMetaData

are you really sure this is missing in the resulting db?

> However, when I tried creating a user from Windows 7, joined to Samba4 using the Active Directory Users and Computers, I then did a ldbmodify with the unicodePwd from myldap-pub.py and IT WORKED! I could login to Windows 7! But my RID was not the one from Samba3. Our domain SID was perfect from the provision script.

Could it be that the password is just expired in the ldif you're using.

It should work without such hacks.

metze


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 objectSid, and Samba 3 migration.

William E Jojo


Sent from my iPad

On Jun 4, 2011, at 5:59, "Stefan (metze) Metzmacher" <[hidden email]> wrote:

> Hi Bill,
>
>> I'm preparing several patches for myldap-pub.py.
>>
>> In particular, I'm working on the sambaSID_to_objectSid function which doesn't seem to encode the SID properly - it remains a string, but the provisioned administrator user is definitely base64 encoded binary.
>>
>> I looked at the http://freeipa.org/page/Samba_4_SID_Allocation_using_DNA_Plugin
>> stuff, but the identifier authority is greater than 6 bytes and the subauthorities look greater than 4 since the binary SID value is 48 bytes, if I did my base64 decoding properly.
>>
>> My questions are:
>>
>> 1) What is the identifier authority size?
>> 2) What is the subauthority size?
>> 3) Is this stored in little endian?
>> 4) Is there C/Python code that could lead me in the right direction?
>>
>
> The ldbadd does this for you.
>
>> Finally, if the objectSid is encoded properly and the unicodePwd is stored as the base64 NT hash, there only seems to be an issue with the Kerberos pre-init when using users from Samba3 imported into Samba4 using something like:
>>
>> ldbadd -H ldap://localhost -x --nosync --verbose --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 ~/test.ldif
>>
>> Or should the above be modified?
>>
>> It seems to me that there may be an issue on adding users (as above) with ldbadd (because I could NOT login to Windows 7) since the following are missing:
>>
>> nTSecurityDescriptor
>
> are you really sure this is missing in the resulting db?

Is the ldbadd above correct?

>
>> supplementalCredentials
>
> That's not created as we don't have the plaintext password to
> generate the kerberos and digest hashes.
>
>> replPropertyMetaData
>
> are you really sure this is missing in the resulting db?
>
>> However, when I tried creating a user from Windows 7, joined to Samba4 using the Active Directory Users and Computers, I then did a ldbmodify with the unicodePwd from myldap-pub.py and IT WORKED! I could login to Windows 7! But my RID was not the one from Samba3. Our domain SID was perfect from the provision script.
>
> Could it be that the password is just expired in the ldif you're using.

Shouldn't be since it's from my live site.


>
> It should work without such hacks.

I will go back and try again and report back my success/failure.

>
> metze
>
Loading...