On Sat, 2003-12-20 at 05:53, Kevin Fries wrote:Kevin Fries wrote:
> I have a Samba 2.2.7 PDC, and I am now trying to set up a new 3.0.1
> server. I want this machine to act as a BDC initially and replicate all
> the
> accounts over.
Unfoutunetly, this is not a supported configuration, for live clients. If, while the 'BDC' is operational, a machine changes it's machine
account password, then it is possible for it to be changed on the BDC,
but not the PDC.
This is actually GOOD news. The goal was to rebuild my PDC. So I set up a second machine with the newest version of Samba (I was going to upgrade anyway) and configured it as a BDC. Now that it is actually working, I will shut off the PDC and promote the BDC. So, if changes are made in the BDC that are not on the BDC, no problem.
> When I followed the howto it said to use smbpasswd -S to
> transfer the machine SID and then to replicate the smbpasswd file to the
> new server. This has caused two major problems:
> > 1) the smbpasswd command does not support the -S option
In 3.0? That is because that option moved to 'net' as 'net getlocalsid' and 'net setlocalsid' (I think, read the BDC doco in the HOWTO).
Yea, I eventually found it. But this feature has changed so many times, that every HOW-TO seems to have a different process. It took a week after my original message to find a process that worked. For the record, I used the getlocalsid on the old PDC to print it out. Then in a separate terminal window, I issued a net setlocalsid on the new 3.0 BDC, used copy and paste between the windows, and all seems as it should.
> 2) My user accounts transfered to the new machine, but not the machine
> trust accounts.
OK, found this one. I forgot to move the posix accounts over to the new
machines and Samba silently ignored the accounts. pdbedit on the other
hand screamed bloody murder. Added PosixAccount to my machine entries in
the new LDAP server, and Samba 3 found them thanks to nss_ldap.
However, I still do not have a MACHINE.SID file because the smbpasswd command does not work as advertised. Is it OK to just copy that file from the old machine?
If you don't have a secrets.tdb, then we will read that file on startup.
Andrew Bartlett
-- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
One additional thing I noticed in transfering my accounts I thought I would mention. Its annoying, but easy to fix.
My goal is to rebuild my PDC as I mentioned earlier. I stated in another thread my plan was to create a 3.0.1 BDC; tranfer the accounts; transfer the shares; then, move the user and system accounts into LDAP. Once the PDC is rebuild and I need to transfer control back, It should be simple to move the LDAP first, point the new Samba to the new primary LDAP, and demote the temporary PDC back down to BDC.
When I transferred the accounts from smbpassword to LDAP, the transition tools did a really stupid thing. I have my accounts in LDAP under common name not username. So an LDIF entry starts like:
dn: cn=Joe user,dc=hcico,dc=com
cn: Joe User
sn: User
givenName: Joe
uid: juser
<etc>
When Samba transferred the accounts to LDAP, it created a second entry in the address book like so:
dn: uid=juser,dc=hcico,dc=com
cn: Joe User
sn: User
givenName: Joe
uid: juser
In the translation, the script needs to look to see if the record already exists. This should be fairly simple if you set the filter to "uid=%L" to see if any entry already claims that login.
I manually went in a combined the two entries into one. Not a difficult task, but quite high on the annoyance scale.
Just an FYI
Kevin Fries
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
