On Sat, 2003-12-27 at 07:10, Information Technology wrote: > Andrew Bartlett writes: > > > On Sat, 2003-12-20 at 05:53, Kevin Fries wrote: > >> Kevin Fries wrote: > >> > >> > I have a Samba 2.2.7 PDC, and I am now trying to set up a new 3.0.1 > >> > server. I want this machine to act as a BDC initially and replicate all > >> > the > >> > accounts over. > > > > Unfoutunetly, this is not a supported configuration, for live clients. > > If, while the 'BDC' is operational, a machine changes it's machine > > account password, then it is possible for it to be changed on the BDC, > > but not the PDC. > > This is actually GOOD news. The goal was to rebuild my PDC. So I set up a > second machine with the newest version of Samba (I was going to upgrade > anyway) and configured it as a BDC. Now that it is actually working, I will > shut off the PDC and promote the BDC. So, if changes are made in the BDC > that are not on the BDC, no problem.
As long as no other changes were made to the PDC. Basically, unless you have a properly replicating LDAP setup, you can only have one Samba DC live at any one time. > > > >> > When I followed the howto it said to use smbpasswd -S to > >> > transfer the machine SID and then to replicate the smbpasswd file to the > >> > new server. This has caused two major problems: > >> > > >> > 1) the smbpasswd command does not support the -S option > > > > In 3.0? That is because that option moved to 'net' as 'net getlocalsid' > > and 'net setlocalsid' (I think, read the BDC doco in the HOWTO). > > Yea, I eventually found it. But this feature has changed so many times, > that every HOW-TO seems to have a different process. It took a week after > my original message to find a process that worked. For the record, I used > the getlocalsid on the old PDC to print it out. Then in a separate terminal > window, I issued a net setlocalsid on the new 3.0 BDC, used copy and paste > between the windows, and all seems as it should. > > > > >> > 2) My user accounts transfered to the new machine, but not the machine > >> > trust accounts. > >> > >> OK, found this one. I forgot to move the posix accounts over to the new > >> machines and Samba silently ignored the accounts. pdbedit on the other > >> hand screamed bloody murder. Added PosixAccount to my machine entries in > >> the new LDAP server, and Samba 3 found them thanks to nss_ldap. > >> > >> However, I still do not have a MACHINE.SID file because the smbpasswd > >> command does not work as advertised. Is it OK to just copy that file from > >> the old machine? > > > > If you don't have a secrets.tdb, then we will read that file on startup. > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett [EMAIL PROTECTED] > > Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] > > Student Network Administrator, Hawker College [EMAIL PROTECTED] > > http://samba.org http://build.samba.org http://hawkerc.net > > One additional thing I noticed in transfering my accounts I thought I would > mention. Its annoying, but easy to fix. > > My goal is to rebuild my PDC as I mentioned earlier. I stated in another > thread my plan was to create a 3.0.1 BDC; tranfer the accounts; transfer the > shares; then, move the user and system accounts into LDAP. Once the PDC is > rebuild and I need to transfer control back, It should be simple to move the > LDAP first, point the new Samba to the new primary LDAP, and demote the > temporary PDC back down to BDC. And to make it a real BDC, setup an LDAP slave. > When I transferred the accounts from smbpassword to LDAP, the transition > tools did a really stupid thing. I have my accounts in LDAP under common > name not username. So an LDIF entry starts like: You used pdbedit -i smbpasswd -e ldapsam for this? I know our passdb tools always do the search first. > dn: cn=Joe user,dc=hcico,dc=com > cn: Joe User > sn: User > givenName: Joe > uid: juser > <etc> > > When Samba transferred the accounts to LDAP, it created a second entry in > the address book like so: > > dn: uid=juser,dc=hcico,dc=com > cn: Joe User > sn: User > givenName: Joe > uid: juser > > In the translation, the script needs to look to see if the record already > exists. This should be fairly simple if you set the filter to "uid=%L" to > see if any entry already claims that login. > > I manually went in a combined the two entries into one. Not a difficult > task, but quite high on the annoyance scale. File a bug :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
