Am 18.10.2011 17:58 schrieb ITSEF Admin:
Hi all,
I need some help with the following problem:
I need to migrate a bunch of user accounts to another domain on a Windows 2003
server (eventually to 2008R2, but that step seemed to big to do in one go).
To keep all access rights etc. correct, I need to get the SID history set
correctly as well.
> From what I've researched so far, I'm aware of
http://lists.samba.org/archive/samba/2005-April/103743.html
and
http://lists.samba.org/archive/samba/2005-June/107028.html
which basically state that this migration should be possible using ADMT. As
far as I know, I have all prerequisites in places as listed in those
postings, however, I still cannot get ADMT to run. It does find the Samba
server and recognises it as domain controller for OLDDOMAIN, but when I ask
it to migrate SID history as well, I get a rather cryptic error "Could not
verify auditing and TcpipClientSupport on domains. Will not be able to
migrate Sid's. The system cannot find the file specified." Unfortunately,
Aunt Google does not have much on that one... Neither tshark nor Process
Monitor nor the Samba logs provided any additional clues (that I would
recognise), so this was a dead end for the time being.
After having checked and re-checked domain trusts, administrator accounts
(with equal passwords), SID filters being off, ... on both machines, I then
tried a different approach: The "sidhist.vbs" script from the 2003 support
tools, which in theory should be able to accomplish the same. However, when I
try to run this script, I also get an error: "Error 0x800706BA, Unable to
read the configuration information of the computer "SAMBA_DC". The error was:
The RPC server is unavailable." I've done a lot of searching on this one as
well, I even went as far as running tshark on the connection to see whether
that would yield any clues - but came up empty yet again.
Unfortunately, I'm now at the end of my - limited - knowledge of both Samba
and Windows and would therefore like to ask whether anyone on this list may
be able to hit me with the appropriate clue stick and/or point me in the
direction of the proper TFM. Any tips for solving or even just debugging this
are most welcome.
Thanks in advance,
Thomas
Hi Thomas!
We did a complete migration from Samba 3.5.9 to Windows2008R2 - but we did
not find any windows tool that was helpful to migrate the password and
the sid history.
So we installed a AD domain with a Win2008R2 Server and joined a Samba 4
pre 17.
Then we migrated all (6000!) accounts with the windows based active
directory migration tool
version 2 (all higher ones are not working) and run a script that
converted the hash from
password in the form that Samba 4 stores it and feed that together with
the sid history
into the Samba 4 database directly (with ldbedit tools).
Samba synced that with the win2008R2 Server and that was almost working....
"Almost" meens, that a windows 7 client can only authenticate (the user
of course) if
its request hits a samba server and if the "password never expire" flag
is set.
If a user sets its password on the new AD domain then it was working
with a win2008R2 server too.
WinXP does not show this behaviour.
We force the users to change there passwords quickly so we could shut
down the
Sambas a few days after the migration.
The Sid history was working without any problems, from the beginning.
That is/was our working way
regars
Martin
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
