John H Terpstra wrote:
I know that "net rpc vampire" is NT4-style and that samba-3 is not capable
of being an ADS server, but does this imply that the migration of maschine
accounts (which work afterwards) from a mixed mode AD is not possible? My
understanding of "AD in mixed mode" has been that it's NT4-compatible to
some degree and I doubt that the typical user (e.g. myself) has enough
knowledge of the AD internals to know that this compatibility applies to
users and groups but not to maschine accounts.
If you migrate the domain membership trust account for an NT4 Workstation or
Server from ADS to Samba-3 the client does not need to be re-joined to the
domain. It will work just fine because the client (NT4) is capable only of
using an NT4-style domain interaction.
Windows 2000/2003/XP Pro client domain members of an ADS domain store
credentials that are membership credentials that are specific to ADS. When
the ADS domain accounts are migrated to a Samba-3 domain, the client tries to
log onto the Samba-3 domain using ADS credentials - and logically, that
fails. This has nothing to do with ADS-mixed mode, it is the result of the
client having used the more advanced AD protocols when it was joined to the
domain.
Thanks for the clarification! Question: if a Win2k/XP workstation has
joined a NT4 domain and this domain is upgraded later on to AD, does the
maschine account of the workstation remain NT4-Style - and therefore
migratable by "vampire" - or is it upgraded to AD-Style?
But I think that the answer to the question "can net rpc vampire migrate
maschine accounts from an AD server" has to be "it depends" anyway,
because it works at least for NT4 maschines.
Another point: The fact that "net rpc vampire" offers no option for a
"user/group accounts only" migration suggests that migrating maschine
accounts is generally sensefull, but what are maschine accounts worth, when
maschines cannot login to them afterwards and which have to be recreated
anyway by rejoining the domain?
The documentation does not address migration of ADS to Samab-3. Sorry. Maybe
someone should contribute a chapter on that subject. :-)
For migration of ADS/mixed mode to samba-3 it would be sufficient to
reference the NT4PDC to samba-3 chapter and add a sentence which
explains, that migration of Win2k/XP client maschine accounts will not
work (if they joined the domain when the Server was already AD - I'm not
sure about this - see above.)
I read the migration chapters of your books carefully and found no
reference to a "net rpc vampire" migration from a mixed mode AD. I searched
Correct. I do believe that the documentation is quite specific. We do support
migration of NT4 domains to Samba-3. It is possible to migrate ADS domain
accounts to Samba-3, but Samba-3 can not be an ADS server. I believe that is
also very clearly documented, but I am willing to be proven wrong.
It *is* clearly documented that Samba-3 cannot be an ADS server, but for
a user with limited knowledge of ADS (like me ;) this does not imply
that migration of the maschine accounts is not possible. ("When user and
group accounts can be migrated from ADS without problem, why shouldn't
this work with maschine accounts too?" This applies even more when ADS
is running in mixed mode, which is known to be "NT4-compatible"). This
difference between users/groups and maschines in respect to migration
should be explained explicitly in the documentation.
- "net rpc vampire" should offer an "skip maschine accounts" option for
those users who want to migrate from mixed mode AD.
Please file a bug report on https://bugzilla.samba.org/ so this comes to the
attention of the developers and does not get lost in the woodwork.
OK, I will do so.
The mailing list is a subscriber supported facility. If anyone has an
urgent need for answers they should obtain paid support. Please refer to
the Samba web site for information regarding paid support sources.
I didn't mention this to claim that it's your duty to answer every question
in a newsgroup (of course it's not!), but to point out that this question
may be worth answering in general, esspecially because you can run into
this problem though you have read the docs carefully, as I've tried to
explain above.
I understand your point. I apologise for not stating more clearly what are the
consequences of Samba not being able to be an ADS server.
John, you don't have to apologise for something. Your documentation is
great, probably the best I have ever seen for a complex thing like
samba-3. I'm sorry if my postings - written under the impression of
frustation with this "cannot login any longer" problem after migration -
sound a little bit... impolite. This wasn't my intention.
I will be happy if my experience with "net rpc vampire" leads to a
documentation update which will protect other users to encounter the
same problem.
PS: Is it known what's the cause for this maschine account incompatibility
in detail? No way of reverting a client to a NT4-style trust to the
samba-PDC?
Yes - the fact that the client was joined to ADS using Kerberos and LDAP
protocols that Samba-3 does not support, except when used as a member of an
ADS domain.
Yes, but what's the underlying technical cause for the cause? ;-)
It would be interesting to see how two identical XP-maschines would
differ after having joined the one to a NT4-Domain and the other to an
ADS domain. Which regkyes differ? Has somebody tried to make a "back to
NT4-Style trust" conversation tool for Win2k/XP-maschines?
Otherwise I have to search a solution now for the task of letting 500
clients rejoin the domain unattended/automatically somehow.
Christoph
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
