Re: [Samba] Smbldap tools blocks when using net rpc vampire to migrate accounts from the NT4 PDC to the SambaLdap BDC

Tue, 10 Aug 2004 08:35:20 -0700

Ioan Caltun a �crit : 
Hello,

I am trying to migrate a NT4 PDC server to a linux PDC Samba3.0+openLDAP backend



I have followed all the instructions in the Samba manual "The Linux Samba-openLDAP How 
to V.1.6.

However my efforts are in vain when I have to use net rpc. It hangs up and I' m trying 
to find out why...

So.. Here is what I did: 


[2004/08/06 17:17:06, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1597)

  ldapsam_search_one_group: searching 
for:[(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-375199814-1253531362-1423778804-512))]

[2004/08/06 17:17:06, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1612)

  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:(No such 
object)ldapsam_search_one_group: Query was: ou=Groups, 
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-375199814-1253531362-1423778804-512))

Creating unix group: 'Admins du domaine'





Here is a question... here,in the research he usees SID 
sambaSID=S-1-5-21-375199814-1253531362-1423778804-512

However, in smbldap.cong, the SID I obtained after

net rpc getlocalsid -S servpdc 



is

SID="S-1-5-21-375199814-1253531362-1423778804" 

It's normal. It appends "512" to your domain SID, which is the RID of
group "Domain Admins" (Admins du domaine).

I think your problem come from group mapping. Do you map all your
Windows groups (defined in your NT4 domain) to Unix groups with the
command "net groupmap"??
(eg, for "Domain Admins" :
net groupmap add sid=S-1-5-21-375199814-1253531362-1423778804-512
unixgroup="Admins du domaine"
with "Admins du domaine" defined in the /etc/group of your new Samba
server... NB : maybe you have to change space in "Admins du domaine" by
=20 in /etc/group = admins=20du=20domaine)


Another point. I saw you use 'smbldap-useradd -w "%u"' for add machine
script. If you won't be able to login from a Windows workstation after
the migration (with 'Workstation XX no account in domain' error),  the only
way I found to bypass this error is to remove the -w from the script
command line. Problem : by doing this, Samba put computer account in
"Users" instead of "Computers" in LDAP. A little bit annoying...
Maybe someone knows how to avoid this problem...

Regards,
Lionel Beard








--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to