On Sunday 13 November 2005 12:50, Christoph Peus wrote: > John H Terpstra wrote: > ... > > NT4 domain accounts can be migrated without need for domain members to be > > rejoined to the domain. The "net rpc vampire" is inherently an NT4-style > > migration process. > > > > Samba-3 is not capable of being an ADS server, hence the need for domain > > members to be re-joined to the domain. > > I know that "net rpc vampire" is NT4-style and that samba-3 is not capable > of being an ADS server, but does this imply that the migration of maschine > accounts (which work afterwards) from a mixed mode AD is not possible? My > understanding of "AD in mixed mode" has been that it's NT4-compatible to > some degree and I doubt that the typical user (e.g. myself) has enough > knowledge of the AD internals to know that this compatibility applies to > users and groups but not to maschine accounts.
If you migrate the domain membership trust account for an NT4 Workstation or Server from ADS to Samba-3 the client does not need to be re-joined to the domain. It will work just fine because the client (NT4) is capable only of using an NT4-style domain interaction. Windows 2000/2003/XP Pro client domain members of an ADS domain store credentials that are membership credentials that are specific to ADS. When the ADS domain accounts are migrated to a Samba-3 domain, the client tries to log onto the Samba-3 domain using ADS credentials - and logically, that fails. This has nothing to do with ADS-mixed mode, it is the result of the client having used the more advanced AD protocols when it was joined to the domain. > Another point: The fact that "net rpc vampire" offers no option for a > "user/group accounts only" migration suggests that migrating maschine > accounts is generally sensefull, but what are maschine accounts worth, when > maschines cannot login to them afterwards and which have to be recreated > anyway by rejoining the domain? The documentation does not address migration of ADS to Samab-3. Sorry. Maybe someone should contribute a chapter on that subject. :-) > I read the migration chapters of your books carefully and found no > reference to a "net rpc vampire" migration from a mixed mode AD. I searched Correct. I do believe that the documentation is quite specific. We do support migration of NT4 domains to Samba-3. It is possible to migrate ADS domain accounts to Samba-3, but Samba-3 can not be an ADS server. I believe that is also very clearly documented, but I am willing to be proven wrong. > the internet up and down for further information regarding my migration > project, found a lot of Howtos and newsgroup postings, but nothing which > said that migration of maschine accounts isn't possible in this > environment, and I asked a samba team member at the SambaXP conference, who > personally told me that "net rpc vampire works for AD/mixed mode", which > means to me, that it works *completely*. OK. Understood, sorry to hear that you have been mislead. I'll clarify the documentation further. > So, I just write all this to point out that I'm not in the situation I'm in > now because I've ignored the available documentation - to answer your other > posting in this thread - but because I read it carefully and listened to > the gurus. Obviously this wasn't sufficient. Ah ah, the documentation clearly points out that Samba-3 is not capable of being an ADS server. I guess that is not clear enough so I'll fix it. > Please: > > - Add one sentence to the migration chapters of your books, which point out > that maschine accounts won't work afterwards when migrated from a mixed > mode AD and that maschines will have to rejoin the domain. OK. I'll add that. > - "net rpc vampire" should offer an "skip maschine accounts" option for > those users who want to migrate from mixed mode AD. Please file a bug report on https://bugzilla.samba.org/ so this comes to the attention of the developers and does not get lost in the woodwork. > Thanks! > > >>BTW: I'm not the first to encounter this problem. Another samba user > >> (Kang Sun) reported exactly the same problem about a year ago, but > >> didn't get an answer. > > > > The mailing list is a subscriber supported facility. If anyone has an > > urgent need for answers they should obtain paid support. Please refer to > > the Samba web site for information regarding paid support sources. > > I didn't mention this to claim that it's your duty to answer every question > in a newsgroup (of course it's not!), but to point out that this question > may be worth answering in general, esspecially because you can run into > this problem though you have read the docs carefully, as I've tried to > explain above. I understand your point. I apologise for not stating more clearly what are the consequences of Samba not being able to be an ADS server. > PS: Is it known what's the cause for this maschine account incompatibility > in detail? No way of reverting a client to a NT4-style trust to the > samba-PDC? Yes - the fact that the client was joined to ADS using Kerberos and LDAP protocols that Samba-3 does not support, except when used as a member of an ADS domain. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
