* Andrew Bartlett <[EMAIL PROTECTED]> nulis: > On Mon, 2004-02-16 at 16:35, Beast wrote: > > * Andrew Bartlett <[EMAIL PROTECTED]> nulis: > > > > > On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote: > > > > Hi! > > > > > > > > How can I maintain users old NT RIDs while migrating to Samba PDC when they > > > > start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 > > > > so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. > > > > Maintaining the old RIDs is essential for migrating on-the-fly, because > > > > re-adding hundreds of computers to domain and losing local user profiles is > > > > not an option. > > > > > > The only way to achieve these requirement is to use pwdump on NT PDC. > > I don't see how this is relevant. 'net rpc vampire' gets the passwords > very nicely and migrates much more than pwdump. As I said, in > particular it gets the SIDs right. >
OK, Thanks. I'll try it again. Last time vampiring my NT (with samba 3.0.1), the samba password attribute was only filled with 'XXX' (it was from smb-ldaptools i guess) With pwdump, you get the full control of account creation as well as any necessary attributes. Good if you already has account stored on ldap for another purpose. > > >From there you'll get old RID and hashes for machine+useraccount. > > Beware that pwdump sometimes can not retrive the hashes and hashes for machine is > > not correct if machine is joined more than x months. > > > > x = unknown value, maybe 1 or 2. > > The issue would no doubt be the same for 'net rpc vampire', as they read > the same password database. > Last week migrating my smallest site with 60+ pc clients, only 1 (one) machine which is joined recently is able to login, other need to rejoin to NT domain and then obtain the new machine password with pwdump. Random sample from other site which machine was joined more than 6 months old get same results. It was strange, renaming machine name won't change the password also. So far I've found no problem with account password. Bugs or expected behaviour? > You need to use 'ldapsam' or 'tdbsam', you cannot use smbpasswd. Both > backends can store arbitrary RIDs, to satisfy exactly this requirement. > I use ldapsam only. > Andrew Bartlett Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
