Re: [Samba] Migrating samba domain to new computer.
Got it fixed the problem was with ldap. Have 7 production ldap servers with a lot of data for many services. slapd.conf is about 400 lines. Actually it's a bunch of include files. My mistake was to use my customized slapd from our kolab server. Much to my suprise it wasn't that acls that got me but some of the extra server stuff to make kolab work. John On Monday 30 August 2010 02:57:26 pm John McMonagle wrote: Thanks Gaiseric Making progress but still messed up :-( Turned up error messages in samba and getting some error message such as: _samr_SetUserInfo2: root does possess sufficient rights Odd as the I'm not using root. My administrator account is administrator not root. Set up over 4 years ago and the populate script created account like this: dn: uid=administrator,ou=People,dc=advocap,dc=org objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: sambaSamAccount cn: administrator uid: administrator gidNumber: 512 homeDirectory: /root givenName: Windows sn: Administrator gecos: Windows Administrator description: Windows Administrator shadowMin: 1 shadowWarning: 10 shadowInactive: 10 shadowLastChange: 12726 displayName: Windows Administrator sambaHomeDrive: U: sambaDomainName: ADVOCAP creatorsName: cn=Manager,dc=advocap,dc=org createTimestamp: 20041104200736Z loginShell: /bin/bash sambaLMPassword: xx sambaPwdLastSet: 1102083012 sambaNTPassword: xx userPassword:: xx shadowMax: 9 shadowExpire: 22278 sambaPwdCanChange: 1072850418 sambaPwdMustChange: 1922119808 sambaAcctFlags: [UX ] uidNumber: 0 structuralObjectClass: inetOrgPerson entryUUID: 5673eb48-e80e-1029-9225-dc2725e62f91 sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512 sambaSID: S-1-5-21-3708734655-3086812103-629500990-20998 entryCSN: 20100827183656.00Z#00#000#00 I just ran smbldap-populate and it created: dn: uid=root,ou=People,dc=advocap,dc=org cn: root sn: root objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 0 uid: root uidNumber: 0 homeDirectory: /home/root sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomeDrive: U: sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-3708734655-3086812103-629500990-500 loginShell: /bin/false gecos: Netbios Domain Administrator I have read some comments from people saying to have the administrator account to be named root. Has smldap-tools or samba been changed to require the administrator to have uid of root? On Monday 30 August 2010 07:54:55 am Gaiseric Vandal wrote: The localsid on a DC should be the domain sid.You should be able to fix this with net setlocalsid command. Generally in Windows you want to assign permissions and rights to a group rather than directly to a user.As long as your Administrator account is in the Domain Admins group and that group has a sid of *-512 you should be OK.I don't think Samba automatically adds any rights or permissions to the Administrator user. I had explicitly added some rights to my Administrator account after upgrading to Samba 3.4.8 when trying to fix some other issue- it may not have been necessary though. # net rpc rights list Administrator -S myserver -U Administrator Enter Administrator's password: SeMachineAccountPrivilege SeAddUsersPrivilege I am pretty sure if you run gpedit on a windows machine and look at rights you will see that the rights are assigned to the Administrator group not the domain administrator. On 08/27/2010 02:56 PM, John McMonagle wrote: How about some more specific problems. noticed that there is no localsid. net getlocalsid [2010/08/27 13:48:15, 0] utils/net.c:net_getlocalsid(708) Can't fetch domain SID for name: OSHKOSH I have seen mention that the localsid should be the same as the domainsid when using ldap. Is that true? Seen comments that the user sid for the administrator must end with -500. Is that true? Mine is not. it will be painfull to change but I can deal with it. Thanks John On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote: Should have read this first: http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749 Problem is I did it the wrong way on a few production systems. Odds are this is the second time I did it wrong. Running Debian Lenny using smbldap. It mostly works. Existing members of the domain are working OK. The first thing that got my attention is was not able to join a new xp workstation to the domain. Also
Re: [Samba] Migrating samba domain to new computer.
The localsid on a DC should be the domain sid.You should be able to fix this with net setlocalsid command. Generally in Windows you want to assign permissions and rights to a group rather than directly to a user.As long as your Administrator account is in the Domain Admins group and that group has a sid of *-512 you should be OK.I don't think Samba automatically adds any rights or permissions to the Administrator user. I had explicitly added some rights to my Administrator account after upgrading to Samba 3.4.8 when trying to fix some other issue- it may not have been necessary though. # net rpc rights list Administrator -S myserver -U Administrator Enter Administrator's password: SeMachineAccountPrivilege SeAddUsersPrivilege I am pretty sure if you run gpedit on a windows machine and look at rights you will see that the rights are assigned to the Administrator group not the domain administrator. On 08/27/2010 02:56 PM, John McMonagle wrote: How about some more specific problems. noticed that there is no localsid. net getlocalsid [2010/08/27 13:48:15, 0] utils/net.c:net_getlocalsid(708) Can't fetch domain SID for name: OSHKOSH I have seen mention that the localsid should be the same as the domainsid when using ldap. Is that true? Seen comments that the user sid for the administrator must end with -500. Is that true? Mine is not. it will be painfull to change but I can deal with it. Thanks John On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote: Should have read this first: http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749 Problem is I did it the wrong way on a few production systems. Odds are this is the second time I did it wrong. Running Debian Lenny using smbldap. It mostly works. Existing members of the domain are working OK. The first thing that got my attention is was not able to join a new xp workstation to the domain. Also noticed that the server is not a member of the domain. net rpc testjoin [2010/08/26 14:20:26, 0] rpc_client/cli_pipe.c:get_schannel_session_key_common(2449) get_schannel_session_key: could not fetch trust account password for domain 'ADVOCAP' [2010/08/26 14:20:26, 0] utils/net_rpc_join.c:net_rpc_join_ok(87) net_rpc_join_ok: failed to get schannel session key from server FONDY for domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Can not join domain: net join -U administrator Enter administrator's password: [2010/08/26 14:25:48, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(349) error setting trust account password: NT_STATUS_ACCESS_DENIED tdbdump secrets.tdb does not show any entry for the server Looked at one of the old servers secrets.tdb and it did not have and entry for that server either. Any suggestions on the best way to fix this? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrating samba domain to new computer.
Thanks Gaiseric Making progress but still messed up :-( Turned up error messages in samba and getting some error message such as: _samr_SetUserInfo2: root does possess sufficient rights Odd as the I'm not using root. My administrator account is administrator not root. Set up over 4 years ago and the populate script created account like this: dn: uid=administrator,ou=People,dc=advocap,dc=org objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: sambaSamAccount cn: administrator uid: administrator gidNumber: 512 homeDirectory: /root givenName: Windows sn: Administrator gecos: Windows Administrator description: Windows Administrator shadowMin: 1 shadowWarning: 10 shadowInactive: 10 shadowLastChange: 12726 displayName: Windows Administrator sambaHomeDrive: U: sambaDomainName: ADVOCAP creatorsName: cn=Manager,dc=advocap,dc=org createTimestamp: 20041104200736Z loginShell: /bin/bash sambaLMPassword: xx sambaPwdLastSet: 1102083012 sambaNTPassword: xx userPassword:: xx shadowMax: 9 shadowExpire: 22278 sambaPwdCanChange: 1072850418 sambaPwdMustChange: 1922119808 sambaAcctFlags: [UX ] uidNumber: 0 structuralObjectClass: inetOrgPerson entryUUID: 5673eb48-e80e-1029-9225-dc2725e62f91 sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512 sambaSID: S-1-5-21-3708734655-3086812103-629500990-20998 entryCSN: 20100827183656.00Z#00#000#00 I just ran smbldap-populate and it created: dn: uid=root,ou=People,dc=advocap,dc=org cn: root sn: root objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 0 uid: root uidNumber: 0 homeDirectory: /home/root sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomeDrive: U: sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-3708734655-3086812103-629500990-500 loginShell: /bin/false gecos: Netbios Domain Administrator I have read some comments from people saying to have the administrator account to be named root. Has smldap-tools or samba been changed to require the administrator to have uid of root? On Monday 30 August 2010 07:54:55 am Gaiseric Vandal wrote: The localsid on a DC should be the domain sid.You should be able to fix this with net setlocalsid command. Generally in Windows you want to assign permissions and rights to a group rather than directly to a user.As long as your Administrator account is in the Domain Admins group and that group has a sid of *-512 you should be OK.I don't think Samba automatically adds any rights or permissions to the Administrator user. I had explicitly added some rights to my Administrator account after upgrading to Samba 3.4.8 when trying to fix some other issue- it may not have been necessary though. # net rpc rights list Administrator -S myserver -U Administrator Enter Administrator's password: SeMachineAccountPrivilege SeAddUsersPrivilege I am pretty sure if you run gpedit on a windows machine and look at rights you will see that the rights are assigned to the Administrator group not the domain administrator. On 08/27/2010 02:56 PM, John McMonagle wrote: How about some more specific problems. noticed that there is no localsid. net getlocalsid [2010/08/27 13:48:15, 0] utils/net.c:net_getlocalsid(708) Can't fetch domain SID for name: OSHKOSH I have seen mention that the localsid should be the same as the domainsid when using ldap. Is that true? Seen comments that the user sid for the administrator must end with -500. Is that true? Mine is not. it will be painfull to change but I can deal with it. Thanks John On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote: Should have read this first: http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749 Problem is I did it the wrong way on a few production systems. Odds are this is the second time I did it wrong. Running Debian Lenny using smbldap. It mostly works. Existing members of the domain are working OK. The first thing that got my attention is was not able to join a new xp workstation to the domain. Also noticed that the server is not a member of the domain. net rpc testjoin [2010/08/26 14:20:26, 0] rpc_client/cli_pipe.c:get_schannel_session_key_common(2449) get_schannel_session_key: could not fetch trust account password for domain 'ADVOCAP' [2010/08/26 14:20:26, 0] utils/net_rpc_join.c:net_rpc_join_ok(87) net_rpc_join_ok: failed to get schannel session key from server FONDY for domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Can not
Re: [Samba] Migrating samba domain to new computer.
I didn't use smldap-tools. But I think you have to configure them with the appropriate ldap user credentials- which is typically NOT root. Although it looks like ldap perms are not the issue since stuff is being created. So you have both a root and administrator account in /etc/passwd? Do you have all the unix users in /etc/passwd on the new machine (or are you using NIS or LDAP for a common unix account backend?) I suspect that you may need to use pdbedit or smbpasswd to manually create the Administrator samba account on the new machine. On 08/30/2010 03:57 PM, John McMonagle wrote: Thanks Gaiseric Making progress but still messed up :-( Turned up error messages in samba and getting some error message such as: _samr_SetUserInfo2: root does possess sufficient rights Odd as the I'm not using root. My administrator account is administrator not root. Set up over 4 years ago and the populate script created account like this: dn: uid=administrator,ou=People,dc=advocap,dc=org objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: sambaSamAccount cn: administrator uid: administrator gidNumber: 512 homeDirectory: /root givenName: Windows sn: Administrator gecos: Windows Administrator description: Windows Administrator shadowMin: 1 shadowWarning: 10 shadowInactive: 10 shadowLastChange: 12726 displayName: Windows Administrator sambaHomeDrive: U: sambaDomainName: ADVOCAP creatorsName: cn=Manager,dc=advocap,dc=org createTimestamp: 20041104200736Z loginShell: /bin/bash sambaLMPassword: xx sambaPwdLastSet: 1102083012 sambaNTPassword: xx userPassword:: xx shadowMax: 9 shadowExpire: 22278 sambaPwdCanChange: 1072850418 sambaPwdMustChange: 1922119808 sambaAcctFlags: [UX ] uidNumber: 0 structuralObjectClass: inetOrgPerson entryUUID: 5673eb48-e80e-1029-9225-dc2725e62f91 sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512 sambaSID: S-1-5-21-3708734655-3086812103-629500990-20998 entryCSN: 20100827183656.00Z#00#000#00 I just ran smbldap-populate and it created: dn: uid=root,ou=People,dc=advocap,dc=org cn: root sn: root objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 0 uid: root uidNumber: 0 homeDirectory: /home/root sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomeDrive: U: sambaPrimaryGroupSID: S-1-5-21-3708734655-3086812103-629500990-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-3708734655-3086812103-629500990-500 loginShell: /bin/false gecos: Netbios Domain Administrator I have read some comments from people saying to have the administrator account to be named root. Has smldap-tools or samba been changed to require the administrator to have uid of root? On Monday 30 August 2010 07:54:55 am Gaiseric Vandal wrote: The localsid on a DC should be the domain sid.You should be able to fix this with net setlocalsid command. Generally in Windows you want to assign permissions and rights to a group rather than directly to a user.As long as your Administrator account is in the Domain Admins group and that group has a sid of *-512 you should be OK.I don't think Samba automatically adds any rights or permissions to the Administrator user. I had explicitly added some rights to my Administrator account after upgrading to Samba 3.4.8 when trying to fix some other issue- it may not have been necessary though. # net rpc rights list Administrator -S myserver -U Administrator Enter Administrator's password: SeMachineAccountPrivilege SeAddUsersPrivilege I am pretty sure if you run gpedit on a windows machine and look at rights you will see that the rights are assigned to the Administrator group not the domain administrator. On 08/27/2010 02:56 PM, John McMonagle wrote: How about some more specific problems. noticed that there is no localsid. net getlocalsid [2010/08/27 13:48:15, 0] utils/net.c:net_getlocalsid(708) Can't fetch domain SID for name: OSHKOSH I have seen mention that the localsid should be the same as the domainsid when using ldap. Is that true? Seen comments that the user sid for the administrator must end with -500. Is that true? Mine is not. it will be painfull to change but I can deal with it. Thanks John On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote: Should have read this first: http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749 Problem is I did it the wrong way on a few production systems. Odds are this is the second time I did it wrong. Running Debian Lenny using smbldap. It mostly works. Existing members of the domain are working OK. The first thing that got my attention is was not able to join a new xp workstation to the domain.
Re: [Samba] Migrating samba domain to new computer.
How about some more specific problems. noticed that there is no localsid. net getlocalsid [2010/08/27 13:48:15, 0] utils/net.c:net_getlocalsid(708) Can't fetch domain SID for name: OSHKOSH I have seen mention that the localsid should be the same as the domainsid when using ldap. Is that true? Seen comments that the user sid for the administrator must end with -500. Is that true? Mine is not. it will be painfull to change but I can deal with it. Thanks John On Thursday 26 August 2010 02:44:51 pm John McMonagle wrote: Should have read this first: http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749 Problem is I did it the wrong way on a few production systems. Odds are this is the second time I did it wrong. Running Debian Lenny using smbldap. It mostly works. Existing members of the domain are working OK. The first thing that got my attention is was not able to join a new xp workstation to the domain. Also noticed that the server is not a member of the domain. net rpc testjoin [2010/08/26 14:20:26, 0] rpc_client/cli_pipe.c:get_schannel_session_key_common(2449) get_schannel_session_key: could not fetch trust account password for domain 'ADVOCAP' [2010/08/26 14:20:26, 0] utils/net_rpc_join.c:net_rpc_join_ok(87) net_rpc_join_ok: failed to get schannel session key from server FONDY for domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Can not join domain: net join -U administrator Enter administrator's password: [2010/08/26 14:25:48, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(349) error setting trust account password: NT_STATUS_ACCESS_DENIED tdbdump secrets.tdb does not show any entry for the server Looked at one of the old servers secrets.tdb and it did not have and entry for that server either. Any suggestions on the best way to fix this? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Migrating samba domain to new computer.
Should have read this first: http://samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749 Problem is I did it the wrong way on a few production systems. Odds are this is the second time I did it wrong. Running Debian Lenny using smbldap. It mostly works. Existing members of the domain are working OK. The first thing that got my attention is was not able to join a new xp workstation to the domain. Also noticed that the server is not a member of the domain. net rpc testjoin [2010/08/26 14:20:26, 0] rpc_client/cli_pipe.c:get_schannel_session_key_common(2449) get_schannel_session_key: could not fetch trust account password for domain 'ADVOCAP' [2010/08/26 14:20:26, 0] utils/net_rpc_join.c:net_rpc_join_ok(87) net_rpc_join_ok: failed to get schannel session key from server FONDY for domain ADVOCAP. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Join to domain 'ADVOCAP' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Can not join domain: net join -U administrator Enter administrator's password: [2010/08/26 14:25:48, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(349) error setting trust account password: NT_STATUS_ACCESS_DENIED tdbdump secrets.tdb does not show any entry for the server Looked at one of the old servers secrets.tdb and it did not have and entry for that server either. Any suggestions on the best way to fix this? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
