On Sunday 13 November 2005 13:49, Craig White wrote: > On Sun, 2005-11-13 at 20:50 +0100, Christoph Peus wrote: > > John H Terpstra wrote: > > >>Aha. That's a clear statement. > > >>It's true that the DC was downgraded from Windows 2000 to NT4, because > > >> the original domain is Windows 2000/AD runinng in mixed mode, but > > >> every reference to "net rpc vampire" and "AD in mixed mode" says that > > >> this works. Is it possible that "net rpc vampire" works only partially > > >> when used with AD/mixed mode? > > > > > > The "net rpc vampire" migration process will migrate all accounts from > > > ADS to Samba-3 (NT4-style domain), but all machines will need to > > > re-join the domain. > > > > John, thanks for confirming this information. > > > > > NT4 domain accounts can be migrated without need for domain members to > > > be rejoined to the domain. The "net rpc vampire" is inherently an > > > NT4-style migration process. > > > > > > Samba-3 is not capable of being an ADS server, hence the need for > > > domain members to be re-joined to the domain. > > > > I know that "net rpc vampire" is NT4-style and that samba-3 is not > > capable of being an ADS server, but does this imply that the migration of > > maschine accounts (which work afterwards) from a mixed mode AD is not > > possible? My understanding of "AD in mixed mode" has been that it's > > NT4-compatible to some degree and I doubt that the typical user (e.g. > > myself) has enough knowledge of the AD internals to know that this > > compatibility applies to users and groups but not to maschine accounts. > > > > Another point: The fact that "net rpc vampire" offers no option for a > > "user/group accounts only" migration suggests that migrating maschine > > accounts is generally sensefull, but what are maschine accounts worth, > > when maschines cannot login to them afterwards and which have to be > > recreated anyway by rejoining the domain? > > > > I read the migration chapters of your books carefully and found no > > reference to a "net rpc vampire" migration from a mixed mode AD. I > > searched the internet up and down for further information regarding my > > migration project, found a lot of Howtos and newsgroup postings, but > > nothing which said that migration of maschine accounts isn't possible in > > this > > environment, and I asked a samba team member at the SambaXP conference, > > who personally told me that "net rpc vampire works for AD/mixed mode", > > which means to me, that it works *completely*. > > > > So, I just write all this to point out that I'm not in the situation I'm > > in now because I've ignored the available documentation - to answer your > > other posting in this thread - but because I read it carefully and > > listened to the gurus. Obviously this wasn't sufficient. > > > > Please: > > > > - Add one sentence to the migration chapters of your books, which point > > out that maschine accounts won't work afterwards when migrated from a > > mixed mode AD and that maschines will have to rejoin the domain. > > > > - "net rpc vampire" should offer an "skip maschine accounts" option for > > those users who want to migrate from mixed mode AD. > > > > Thanks! > > > > >>BTW: I'm not the first to encounter this problem. Another samba user > > >> (Kang Sun) reported exactly the same problem about a year ago, but > > >> didn't get an answer. > > > > > > The mailing list is a subscriber supported facility. If anyone has an > > > urgent need for answers they should obtain paid support. Please refer > > > to the Samba web site for information regarding paid support sources. > > > > I didn't mention this to claim that it's your duty to answer every > > question in a newsgroup (of course it's not!), but to point out that this > > question may be worth answering in general, esspecially because you can > > run into this problem though you have read the docs carefully, as I've > > tried to explain above. > > > > Christoph > > > > PS: Is it known what's the cause for this maschine account > > incompatibility in detail? No way of reverting a client to a NT4-style > > trust to the samba-PDC? > > ---- > This is interesting since I would have thought the 'mixed mode' would > have worked for machine accounts but apparently it doesn't though the > documentation does continually refer to NT4 and in the newer section of > privileges, the added roles in Win2000 server are referenced so at least > some distinction is drawn between NT4 and Win2K server roles - just > nothing clear on 'mixed mode' and machine accounts.
Mixed mode simply means that an NT4 workstation or server can join the ADS domain and participate as a domain member. NT4 workstation and server are not capable of using ADS protocols (Kerberos and LDAP), and could otherwise not participate in the ADS environment. Samba-3 can use the ADS protocols, but only as an ADS domain member - not as an ADS server. > I hadn't read through the vampire documentation in quite some time, I > think the only time I went through it was samba 3.0.0 and the release 2 > of the How-To book and I see now that it is removed from the How-To and > in the By-Example and has been greatly enhanced. > > Some suggestions for John in the documentation... > > 1 - Suggest to reader that the vampire process doesn't always work > properly the first time and one should back up account db immediately > prior to vampire step so that one restore their tdb/ldap db, fix what > wasn't exactly right and repeat from that step. This was a process that > I had to figure out myself as I learned with each vampire effort. Please submit a documentation patch, or more specific update recommendations. I can send you the source files if you can not download them yourself. The source files are available from: http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/?root=samba-docs > 2 - Given that certain 'Enterprise' distributions have versions near > 3.0.9 / 3.0.10 that the added features have a specific tag for which > version they were added so that users of those versions don't beat their > heads on the wall for features that they can't use. Please clarify this for me. I'm not able to parse this. Thanks. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
