Re: [Samba] NT4 Migration
Thanks all for the replies. I should point out that I have only one PDC and one NT domain. I do have several existing Samba servers that use the domain security option. 10. The LDAP management password must be installed into the secrets.tdb file as follows: root# smbpasswd -w not24get Setting stored password for cn=Manager,dc=terpstra-world,dc=org in secrets.tdb Did you run this command? Yes, I did. I deleted secrets.tdb before I began. I ran it again to see what the output was: smbpasswd -w not24get Setting stored password for cn=admin,dc=mydomain,dc=co,dc=uk in secrets.tdb When I run smbldap-populate I am also prompted by smbpasswd. I am not sure if that is correct. What do the following commands show? net getlocalsid net getdomainsid They should be the same. I get an error: net getlocalsid [2010/09/23 08:13:01, 0] utils/net.c:net_getlocalsid(708) Can't fetch domain SID for name: LDAP net getdomainsid Could not fetch local SID LDAP is the hostname of the local machine that I would like to eventually migrate to. I wondering if that might be a poor choice of hostname now. I checked my history and I definitely ran `net rpc -S my_nt_server_netbios_name`, I hope it doesn't hurt to run it again. This was the output: Storing SID S-1-5-21-900663976-1457140431-1537874043 for Domain MYDOM in secrets.tdb #net rpc getsid -S SPLPDC -U Administrator Storing SID S-1-5-21-900663976-1457140431-1537874043 for Domain MYDOM in secrets.tdb # net getdomainsid Could not fetch local SID # net getlocalsid [2010/09/23 08:18:21, 0] utils/net.c:net_getlocalsid(708) Can't fetch domain SID for name: LDAP I have not used net rpc vampire yet (point 17) because I haven't passed the safety checks in point 16. Can you just manually change your SID in LDAP to match that from the NT4 server? I am not entirely sure this is necessary. In my ldap tree I have an item called sambaDomainName and that has the correct SID: Here is the partial output from slapcat -v # id=001a dn: sambaDomainName=MYDOM,dc=mydomain,dc=co,dc=uk sambaAlgorithmicRidBase: 1000 sambaNextUserRid: 1000 structuralObjectClass: sambaDomain entryUUID: 60ea2452-56bd-102f-9b84-07665867de80 creatorsName: cn=admin,dc=mydomain,dc=co,dc=uk createTimestamp: 20100917153835Z sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 gidNumber: 1000 sambaDomainName: MYDOM sambaSID: S-1-5-21-900663976-1457140431-1537874043 sambaNextRid: 1000 uidNumber: 1000 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool entryCSN: 20100922144116.351528Z#00#000#00 modifiersName: cn=admin,dc=mydomain,dc=co,dc=uk modifyTimestamp: 20100922144116Z I also found (at least with samba 3.4.x) that even if I set ldap group suffix=ou=group in smb.conf, samba would look through my whole LDAP tree for group entries. I had initially tried to have separate ou=group and ou=smb_group containers to separate my unix groups from my samba group mappings. smb.conf: ldap admin dn = cn=admin,dc=mydomain,dc=co,dc=uk ldap group suffix = ou=group ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computer That might be a hint. The ldap group is ou=Groups. I edited my smb.conf, deleted secrets.tdb, and stepped through the process again. Now `net groupmap list` give me: Domain Admins (S-1-5-21-1979685110-1467996072-351907979-512) - 512 Domain Users (S-1-5-21-1979685110-1467996072-351907979-513) - 513 Domain Guests (S-1-5-21-1979685110-1467996072-351907979-514) - 514 Domain Computers (S-1-5-21-1979685110-1467996072-351907979-515) - 515 Administrators (S-1-5-32-544) - 544 Account Operators (S-1-5-32-548) - 548 Print Operators (S-1-5-32-550) - 550 Backup Operators (S-1-5-32-551) - 551 Replicators (S-1-5-32-552) - 552 This is more like it and I may be nearly ready to vampire. However I am worried about the errors I get now from net getlocalsid and getdomainsid. Are you using idmap? I had this when the nextgid value in idmap went out of range for some bizarre reason. Yes I am using idmap smb.conf idmap backend = ldapsam:ldap://127.0.0.1/ idmap uid = 15000-2 idmap gid = 15000-2 I don't know how to get the current or next id to find out if this is the case. I think the question I'd like to ask the list is, do they think that it' safe for me to continue when I am still getting errors from getdomainsid and pdbedit does not show show the root user? Thanks, Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] NT4 Migration
Hi, I am in the process of attempting a NT4 Domain to Samba migration (3.2.5). I have been following the instructions at http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html. I am using an ldap backend. I am not convinced everything is set-up correctly. Before I began I removed all /var/lib/samba/*tdb and shutdown smb and ldap. At point 13 where you do `getent group` the Domain groups do not appear. They exist in the ldap tree ou=Groups. I have the joined the samba machine to the NT4 domain (point 14) When I attempt pdbedit -Lw, I get: sid S-1-5-21-1979685110-1467996072-351907979-500 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-2998 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-3010 does not belong to our domain This sid is not the one that appears in my ldap sambaDomainName or from the `net rpc getsid ` command. Also when I attempt `netgroupmap list` (point 16) I get: net groupmap list [2010/09/22 15:41:05, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3342) ldapsam_setsamgrent: LDAP search failed: No such object [2010/09/22 15:41:05, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3417) ldapsam_enum_group_mapping: Unable to open passdb So something is wrong but I am not sure what. Can anyone offer any advise? Thanks in advance, Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 Migration
What do the following commands show? net getlocalsid net getdomainsid They should be the same. When you ran net rpc getsid did you include -S the_name_of_the_NT4_server ? Maybe it somehow talked to another domain controller. If your samba machine was configured as a BDC before you vampired the info from the NT4 server, maybe it didn't pull the sid from the NT4 server. Can you just manually change your SID in LDAP to match that from the NT4 server? I also found (at least with samba 3.4.x) that even if I set ldap group suffix=ou=group in smb.conf, samba would look through my whole LDAP tree for group entries. I had initially tried to have separate ou=group and ou=smb_group containers to separate my unix groups from my samba group mappings. I suspect your group mapping issue may resolve itself once you fix the sid mismatch. On 09/22/2010 11:58 AM, Dermot wrote: Hi, I am in the process of attempting a NT4 Domain to Samba migration (3.2.5). I have been following the instructions at http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html. I am using an ldap backend. I am not convinced everything is set-up correctly. Before I began I removed all /var/lib/samba/*tdb and shutdown smb and ldap. At point 13 where you do `getent group` the Domain groups do not appear. They exist in the ldap tree ou=Groups. I have the joined the samba machine to the NT4 domain (point 14) When I attempt pdbedit -Lw, I get: sid S-1-5-21-1979685110-1467996072-351907979-500 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-2998 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-3010 does not belong to our domain This sid is not the one that appears in my ldap sambaDomainName or from the `net rpc getsid ` command. Also when I attempt `netgroupmap list` (point 16) I get: net groupmap list [2010/09/22 15:41:05, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3342) ldapsam_setsamgrent: LDAP search failed: No such object [2010/09/22 15:41:05, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3417) ldapsam_enum_group_mapping: Unable to open passdb So something is wrong but I am not sure what. Can anyone offer any advise? Thanks in advance, Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 Migration
Quoting Dermot paik...@gmail.com: sid S-1-5-21-1979685110-1467996072-351907979-500 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-2998 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-3010 does not belong to our domain Are you using idmap? I had this when the nextgid value in idmap went out of range for some bizarre reason. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] NT4 Migration Doubt?
Hi people. I'm in process to remove my last NT4 machine here at the company. I had read the migration process tested and looks like works. Now my box is going to run Centos 5.x with LDAP as backend. My only doubt is, once u run the migration tool (vampire) do samba need to have the same IP as the NT server? Is all my doubt, thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 Migration Doubt?
On 05/26/2010 06:46 PM, Alberto Moreno wrote: Hi people. I'm in process to remove my last NT4 machine here at the company. I had read the migration process tested and looks like works. Now my box is going to run Centos 5.x with LDAP as backend. My only doubt is, once u run the migration tool (vampire) do samba need to have the same IP as the NT server? Is all my doubt, thanks!!! No. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] NT4 migration: does it get passwords too?
We've got samba 3 on linux fedora core 7 server. I'm trying to use the NT Migration Using the tdbsam backup (cahpter 9), from the Samba-Guide from samba.org. I've can setup a proper samba PDC with a tdbsam backend, and join an XP client to it, it all works. So then I change samba to be a backup domain controller for the NT4 domain, and follow the instructions to the tee. The migration seems succesful, the user accounts are migrated, but none of the passwords are migrated. Let me get this strait. Is the migration supposed to get the paswords? Or not? The actual command that does the work is 'net rpc vampire...', is that supposed to grab the passwords? Or is it just getting the objects, without passwords? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 migration: does it get passwords too?
I did a NT4-Samba migration recently and net vampire did copy over all the information, users, machines, passwords. However, the unix-level accounts do need to be created 1st. (The net vampire command should indicate what accounts it could not migrate.) Some accounts had issues due to capitalization. for example, MS Windows Johnsmith will not be able to login if the unix account is johnsmith. On 9/25/07, Alexander Lazarevich [EMAIL PROTECTED] wrote: We've got samba 3 on linux fedora core 7 server. I'm trying to use the NT Migration Using the tdbsam backup (cahpter 9), from the Samba-Guide from samba.org. I've can setup a proper samba PDC with a tdbsam backend, and join an XP client to it, it all works. So then I change samba to be a backup domain controller for the NT4 domain, and follow the instructions to the tee. The migration seems succesful, the user accounts are migrated, but none of the passwords are migrated. Let me get this strait. Is the migration supposed to get the paswords? Or not? The actual command that does the work is 'net rpc vampire...', is that supposed to grab the passwords? Or is it just getting the objects, without passwords? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NT4 migration errors
Kevin B wrote: Geoff kindly replied... It also looks like the /home directoy has everyones $HOME but the uid and gid for each user is numeric instead of resolving the username and groupname [same as before btw]. Thanks for the help Geoff. If you have any more ideas let me know :] Kevin net rpc vampire -S nt4 -W DOMAIN Fetching DOMAIN database Creating unix group: 'Domain Admins' /usr/local/sbin/smbldap-groupadd: group Domain Admins exists [2005/07/14 14:27:20, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Admins'' gave 6 Creating unix group: 'Domain Users' /usr/local/sbin/smbldap-groupadd: group Domain Users exists [2005/07/14 14:27:20, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Users'' gave 6 Creating unix group: 'Domain Guests' /usr/local/sbin/smbldap-groupadd: group Domain Guests exists [2005/07/14 14:27:21, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Guests'' gave 6 Creating unix group: 'Sales' Creating unix group: 'Accounting' Creating account: Administrator Could not create posix account info for 'Administrator' You need to revisit: http://au1.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-PAM-NSS Your systems ability to resolve posix info is hosed or not set up properly. Geoff Hi Thanks for the help. I was confinced it was PAM related. I found my slap.conf was config'd like my standalone domain controller, or the wrong/old doc's [too late to research that] the samples at the bottom. We migrated users and groups tonight in the lab :) Question... In Chapter 9, it says to leave smbd off untill after shutting down the PDC and BDCs -but- the smbldap-tools ./configure.pl script complains if it's not running. I start it and then stop it immediatly after running ./configure.pl. Does the documentation need updating?? It seems this method is ok. Thanks for the help. Kevin ### Incorrect ## # Indices to maintain for this database #index objectClass eq,pres #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShelleq,pres #index uid,memberUid,displayName eq,pres,sub #index nisMapName,nisMapEntryeq,pres,sub #index sambaSIDeq #index sambaPrimaryGroupSIDeq #index sambaDomainName eq #index default sub Correct # index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUid eq index sambaSID eq index sambaPrimaryGroupSIDeq index sambaDomainName eq index default sub -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NT4 migration errors
Kevin B wrote: Geoff kindly replied... spot on with that assumption. You are using: add user script = /usr/local/sbin/smbldap-useradd -a -m '%u' In you smb.conf aren't you? It should be: add user script = /usr/local/sbin/smbldap-useradd -m '%u' No *-a* flag. Samba now takes care of the samba attributes for a user. You are correct. I recall at one point I had to add the -a to fix some other problem. Sounds like my whole approach was a bit off [or maybe a byte] so that fix wasn't really relevent. Like I said you only need that for adding users on the command line I wiped the ldap clean and did as you advised. Everything was looking good up to this point [step 16]: pc-00129:~ # net groupmap list Domain Admins (S-1-5-21-1348277581-813059936-1947940980-512) - 512 Does the SID shown by a net rpc info for the old NT4 server look the same as the one shown by a net getlocalsid? Do you have all the delete scripts commented out before you vampire? Can you show us your smb.conf? It also looks like the /home directoy has everyones $HOME but the uid and gid for each user is numeric instead of resolving the username and groupname [same as before btw]. Right this is a fairly good indicator that either nsswitch.conf, or the pam-ldap files aren't configured properly or that the pam-ldap components aren't installed. You need to double check all those things. Thanks for the help Geoff. If you have any more ideas let me know :] What version of the smbldap tools do you have? Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NT4 migration errors
Kevin B wrote: Geoff kindly replied... It also looks like the /home directoy has everyones $HOME but the uid and gid for each user is numeric instead of resolving the username and groupname [same as before btw]. Thanks for the help Geoff. If you have any more ideas let me know :] Kevin net rpc vampire -S nt4 -W DOMAIN Fetching DOMAIN database Creating unix group: 'Domain Admins' /usr/local/sbin/smbldap-groupadd: group Domain Admins exists [2005/07/14 14:27:20, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Admins'' gave 6 Creating unix group: 'Domain Users' /usr/local/sbin/smbldap-groupadd: group Domain Users exists [2005/07/14 14:27:20, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Users'' gave 6 Creating unix group: 'Domain Guests' /usr/local/sbin/smbldap-groupadd: group Domain Guests exists [2005/07/14 14:27:21, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Guests'' gave 6 Creating unix group: 'Sales' Creating unix group: 'Accounting' Creating account: Administrator Could not create posix account info for 'Administrator' You need to revisit: http://au1.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-PAM-NSS Your systems ability to resolve posix info is hosed or not set up properly. Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] NT4 migration errors
Hi I've setup samba 3.0.14 with the latest idealx scripts on FC3. Now I have a test lab to migrate from NT4 box which different than the standalone PDC I have running. Here's the order I used and my ldap and samba configs are clean as far as I can tell since I do get a partial migration. When using 'net rpc vampire -S nt4 -W DOMAIN' it populates the groups from NT4 and shows the group membership but the users fail to come over. Here's what I've done so far. BTW SLES9 server. [continued below] From a clean ldap database I add in the top level ldif: -- dn: dc=kblan,dc=com o: kblan objectClass: top objectClass: dcObject objectClass: organization dc: kblan Then ldapadd the preload ldif to be ready for the NT4 accounts: -- dn: cn=admin,dc=kblan,dc=com objectClass: organizationalRole cn: admin description: Directory Manager dn: ou=People,dc=kblan,dc=com objectClass: top objectClass: organizationalUnit ou:People dn: ou=Groups,dc=kblan,dc=com objectClass: top objectClass: organizationalUnit ou:Groups dn: ou=Idmap,dc=kblan,dc=com objectClass: top objectClass: organizationalUnit ou:Idmap dn: ou=Domains,dc=kblan,dc=com objectClass: top objectClass: organizationalUnit ou:Domains Then ldapadd the NextFreeUnixID ldif: - dn: cn=NextFreeUnixId,dc=kblan,dc=com objectClass: inetOrgPerson objectClass: sambaUnixIdPool uidNumber: 1000 gidNumber: 1000 cn: NextFreeUnixId sn: NextFreeUnixId Next add the smbpasswd to secrets.tdb. Then grab the NT4 SID: net rpc getsid -S nt4 -W DOMAIN [which succeeds and tdbdump shows it] Now join the domain: net rpc join -S nt4 -W DOMAIN -U Administrator%34567 [it joins] Now we migrate: I'll show the 'net rpc vampire' first and then show a slapcat dump of the ldap contents after migrating. Comparing to the standalone PDC I setup before, it seems I'm missing the sambaSamAccount object and all the relevant attributes, but I don't know if in fact they are 'supposed' to existwhen migrating from NT4 [??]. In any case, I need some help to get the migration done whatever my mistakes are. I only have 2 groups and a couple of members in each group. I don't have any local /etc/group entries other than for services. [all gid less than 100] Everything should be in ldap. Any help is greatly appreciated. Thanks in advance. Kevin linux:~ # net rpc vampire -S nt4 -W DOMAIN Fetching DOMAIN database Creating unix group: 'Domain Admins' Creating unix group: 'Domain Users' Creating unix group: 'Domain Guests' Creating unix group: 'Sales' Creating unix group: 'Accounting' Creating account: Administrator Error: SID not set for unix group 1001 check if your unix group is mapped to an NT group [2005/07/14 12:18:55, 0] utils/net_rpc_samsync.c:fetch_account_info(527) fetch_account: Running the command `/usr/local/sbin/smbldap-useradd -a -m 'Administrator'' gave 7 Could not create posix account info for 'Administrator' Creating account: Guest Error: SID not set for unix group 1001 check if your unix group is mapped to an NT group [2005/07/14 12:18:56, 0] utils/net_rpc_samsync.c:fetch_account_info(527) fetch_account: Running the command `/usr/local/sbin/smbldap-useradd -a -m 'Guest'' gave 7 Could not create posix account info for 'Guest' Creating account: NT4$ Can't call method get_value on an undefined value at /usr/local/sbin/smbldap-useradd line 171, DATA line 283. [2005/07/14 12:18:56, 0] utils/net_rpc_samsync.c:fetch_account_info(527) fetch_account: Running the command `/usr/local/sbin/smbldap-useradd -a -w 'NT4$'' gave 3 Could not create posix account info for 'NT4$' Creating account: IUSR_NT4 Error: SID not set for unix group 1001 check if your unix group is mapped to an NT group [2005/07/14 12:18:57, 0] utils/net_rpc_samsync.c:fetch_account_info(527) fetch_account: Running the command `/usr/local/sbin/smbldap-useradd -a -m 'IUSR_NT4'' gave 7 Could not create posix account info for 'IUSR_NT4' Creating account: sales1 Error: SID not set for unix group 1001 check if your unix group is mapped to an NT group [2005/07/14 12:18:58, 0] utils/net_rpc_samsync.c:fetch_account_info(527) fetch_account: Running the command `/usr/local/sbin/smbldap-useradd -a -m 'sales1'' gave 7 Could not create posix account info for 'sales1' Creating account: sales2 Error: SID not set for unix group 1001 check if your unix group is mapped to an NT group [2005/07/14 12:18:58, 0] utils/net_rpc_samsync.c:fetch_account_info(527) fetch_account: Running the command `/usr/local/sbin/smbldap-useradd -a -m 'sales2'' gave 7 Could not create posix account info for 'sales2' Creating account: acct1 Error: SID not set for unix group 1001 check if your unix group is mapped to an NT group [2005/07/14 12:18:59, 0] utils/net_rpc_samsync.c:fetch_account_info(527) fetch_account: Running the command
RE: [Samba] NT4 migration errors
Kevin B wrote: Hi I've setup samba 3.0.14 with the latest idealx scripts on FC3. Now I have a test lab to migrate from NT4 box which different than the standalone PDC I have running. Here's the order I used and my ldap and samba configs are clean as far as I can tell since I do get a partial migration. When using 'net rpc vampire -S nt4 -W DOMAIN' it populates the groups from NT4 and shows the group membership but the users fail to come over. Here's what I've done so far. BTW SLES9 server. [continued below] From a clean ldap database I add in the top level ldif: -- Then ldapadd the preload ldif to be ready for the NT4 accounts: -- It kind of looks like you are working off an old copy of the Samba3 by example book. Would that be right? I just checked through some of the output in you post, and think that I am spot on with that assumption. You are using: add user script = /usr/local/sbin/smbldap-useradd -a -m '%u' In you smb.conf aren't you? It should be: add user script = /usr/local/sbin/smbldap-useradd -m '%u' No *-a* flag. Samba now takes care of the samba attributes for a user. You only need the *-a* flag set if you are adding a user on the command line using the smbldap-adduser script. Tah dah! ;-) John T very kindly pointed this out to me when I was having problems. It's one of the small but infuriatingly important changes made to the book Without looking too hard at what you are doing, I would suggest that you follow the online version where you'll see that the smbldap-tools make it very easy to set up the initial groups by doing the following: Set up your smb.conf Go to the smbldap-tools directory and run the configure.pl to configure the tools. The tools now pick up most of your settings from the smb.conf Run the smbldap-populate script as per JHT's example (the reason that I suggest this is that it will reduce any human errors made in creating the initial ldif) Then follow on as before, checking against the examples shown in the samba3 By Example book online: Next add the smbpasswd to secrets.tdb. Then grab the NT4 SID: net rpc getsid -S nt4 -W DOMAIN [which succeeds and tdbdump shows it] Now join the domain: net rpc join -S nt4 -W DOMAIN -U Administrator%34567 [it joins] Now we migrate: net rpc vampire -S nt4 -W DOMAIN I'd be interested to see if you still had problems after that. Thanks in advance. Kevin Happy samba-ing, Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NT4 migration errors
Geoff kindly replied... It kind of looks like you are working off an old copy of the Samba3 by example book. Would that be right? Hello Geoff Most likely. The samba site looks newer than the pdf I used. I'll try it. I just checked through some of the output in you post, and think that I am spot on with that assumption. You are using: add user script = /usr/local/sbin/smbldap-useradd -a -m '%u' In you smb.conf aren't you? It should be: add user script = /usr/local/sbin/smbldap-useradd -m '%u' No *-a* flag. Samba now takes care of the samba attributes for a user. You are correct. I recall at one point I had to add the -a to fix some other problem. Sounds like my whole approach was a bit off [or maybe a byte] so that fix wasn't really relevent. Without looking too hard at what you are doing, I would suggest that you follow the online version where you'll see that the smbldap-tools make it very easy to set up the initial groups by doing the following: Set up your smb.conf Go to the smbldap-tools directory and run the configure.pl to configure the tools. The tools now pick up most of your settings from the smb.conf Run the smbldap-populate script as per JHT's example (the reason that I suggest this is that it will reduce any human errors made in creating the initial ldif) Then follow on as before, checking against the examples shown in the samba3 I'd be interested to see if you still had problems after that. Happy samba-ing, Geoff I wiped the ldap clean and did as you advised. Everything was looking good up to this point [step 16]: pc-00129:~ # net groupmap list Domain Admins (S-1-5-21-1348277581-813059936-1947940980-512) - 512 Domain Users (S-1-5-21-1348277581-813059936-1947940980-513) - 513 Domain Guests (S-1-5-21-1348277581-813059936-1947940980-514) - 514 Domain Computers (S-1-5-21-1348277581-813059936-1947940980-515) - 515 Administrators (S-1-5-32-544) - 544 Account Operators (S-1-5-32-548) - 548 Print Operators (S-1-5-32-550) - 550 Backup Operators (S-1-5-32-551) - 551 Replicators (S-1-5-32-552) - 552 The migration step result is different than before, but says it still fails to add the users -but- they were added. [current slapcat dump below] I see more of the samba objectclasses and attributes added but users are not listed in their group. It also looks like the /home directoy has everyones $HOME but the uid and gid for each user is numeric instead of resolving the username and groupname [same as before btw]. Thanks for the help Geoff. If you have any more ideas let me know :] Kevin net rpc vampire -S nt4 -W DOMAIN Fetching DOMAIN database Creating unix group: 'Domain Admins' /usr/local/sbin/smbldap-groupadd: group Domain Admins exists [2005/07/14 14:27:20, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Admins'' gave 6 Creating unix group: 'Domain Users' /usr/local/sbin/smbldap-groupadd: group Domain Users exists [2005/07/14 14:27:20, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Users'' gave 6 Creating unix group: 'Domain Guests' /usr/local/sbin/smbldap-groupadd: group Domain Guests exists [2005/07/14 14:27:21, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Guests'' gave 6 Creating unix group: 'Sales' Creating unix group: 'Accounting' Creating account: Administrator Could not create posix account info for 'Administrator' Creating account: Guest Could not create posix account info for 'Guest' Creating account: NT4$ Could not create posix account info for 'NT4$' Creating account: IUSR_NT4 Could not create posix account info for 'IUSR_NT4' Creating account: sales1 Could not create posix account info for 'sales1' Creating account: sales2 Could not create posix account info for 'sales2' Creating account: acct1 Could not create posix account info for 'acct1' Creating account: acct2 Could not create posix account info for 'acct2' Creating account: sles9$ Could not create posix account info for 'sles9$' [2005/07/14 14:27:32, 0] utils/net_rpc_samsync.c:fetch_group_mem_info(675) Could not find global group 512 [2005/07/14 14:27:32, 0] utils/net_rpc_samsync.c:fetch_group_mem_info(675) Could not find global group 513 [2005/07/14 14:27:32, 0] utils/net_rpc_samsync.c:fetch_group_mem_info(675) Could not find global group 514 [2005/07/14 14:27:32, 0] utils/net_rpc_samsync.c:fetch_group_mem_info(675) Could not find global group 1006 [2005/07/14 14:27:32, 0] utils/net_rpc_samsync.c:fetch_group_mem_info(675) Could not find global group 1007 Fetching BUILTIN database skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain) Creating unix group: 'Account Operators' /usr/local/sbin/smbldap-groupadd: group Account Operators exists [2005/07/14 14:27:33, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command
[Samba] NT4 Migration Question
A client has an existing NT4 domain with several NT4 servers. Two of the NT4 Servers function as a PDC and a BDC. We are installing Samba-3 on SuSE 9.0 Pro as a PDC with an LDAP backend, and decommissioning the NT4 PDC at the same time. So far, so good. We can also rebuild the old PDC hardware as a Samba-3 on SuSE 9.0 Pro BDC. Unfortunately however, the NT4 BDC cannot be removed from the network for another six months, as it hosts a vertical application key to the business and used every day by some 100 users at the client. In addition, the configuration of this BDC is quite complex; reinstalling the OS and the vertical application would be a challenge and, given the various customizations to the vertical application, not likely to succeed. Two questions then: 1. What are the implications of leaving this existing NT4 BDC in place with a new Linux-Samba-3 PDC (and possibly a new Linux-Samba BDC)? 2. Has anyone used UPromote, which claims to do be able to demote an NT4 BDC to a member server without reinstalling the OS? (See http://utools.com/UPromote.asp for more info.) Thanks! Mark -- __ L. Mark Stone President Reliable Networks of Maine, LLC 477 Congress Street, 5th Floor Portland, ME 04107 Tel: (207) 772-5678 Cell: (917) 597-2057 Email: [EMAIL PROTECTED] Web: http://www.RNoME.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration Question
On Fri, 2004-03-05 at 08:53, L. Mark Stone wrote: A client has an existing NT4 domain with several NT4 servers. Two of the NT4 Servers function as a PDC and a BDC. We are installing Samba-3 on SuSE 9.0 Pro as a PDC with an LDAP backend, and decommissioning the NT4 PDC at the same time. So far, so good. We can also rebuild the old PDC hardware as a Samba-3 on SuSE 9.0 Pro BDC. Unfortunately however, the NT4 BDC cannot be removed from the network for another six months, as it hosts a vertical application key to the business and used every day by some 100 users at the client. In addition, the configuration of this BDC is quite complex; reinstalling the OS and the vertical application would be a challenge and, given the various customizations to the vertical application, not likely to succeed. Two questions then: 1. What are the implications of leaving this existing NT4 BDC in place with a new Linux-Samba-3 PDC (and possibly a new Linux-Samba BDC)? 2. Has anyone used UPromote, which claims to do be able to demote an NT4 BDC to a member server without reinstalling the OS? (See http://utools.com/UPromote.asp for more info.) Didn't know about #2 - interesting... I am functioning with previous WinNT4 PDC unchanged after net rpc vampire operation with the exception that netlogon service has been disabled. Has been working - I cannot use the UserManager etc. tools from this machine though. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration Question
On Fri, 5 Mar 2004, L. Mark Stone wrote: A client has an existing NT4 domain with several NT4 servers. Two of the NT4 Servers function as a PDC and a BDC. We are installing Samba-3 on SuSE 9.0 Pro as a PDC with an LDAP backend, and decommissioning the NT4 PDC at the same time. So far, so good. We can also rebuild the old PDC hardware as a Samba-3 on SuSE 9.0 Pro BDC. Unfortunately however, the NT4 BDC cannot be removed from the network for another six months, as it hosts a vertical application key to the business and used every day by some 100 users at the client. In addition, the configuration of this BDC is quite complex; reinstalling the OS and the vertical application would be a challenge and, given the various customizations to the vertical application, not likely to succeed. Two questions then: 1. What are the implications of leaving this existing NT4 BDC in place with a new Linux-Samba-3 PDC (and possibly a new Linux-Samba BDC)? The NT BDC will soon fall out of date with your Samba PDC (assuming you migrated the NT4 PDC to Samba-3). Samba-3 does not support the NT4 domain SAM replication protocols. You will soon have a broken network - unless you can deomte the NT4 BDC to a Stand-Alone server (which will stop it from performing domain control functions such as network logon handling and SAM replication). 2. Has anyone used UPromote, which claims to do be able to demote an NT4 BDC to a member server without reinstalling the OS? (See http://utools.com/UPromote.asp for more info.) That's a neat tool. It looks like it will permit you to demote the BDC to a Stand-Alone server, but be careful! You may find that the vertical application requires support for certain protocols that may not be supported by a Samba domain controller. You could test this by using Norton Ghost to clone the BDC, then demote the BDC using the UPromote tool, then test the application in a Samba domain. At least this will provide a conclusive answer. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration Question
Hi John! On Fri, 2004-03-05 at 13:14, John H Terpstra wrote: On Fri, 5 Mar 2004, L. Mark Stone wrote: A client has an existing NT4 domain with several NT4 servers. Two of the NT4 Servers function as a PDC and a BDC. We are installing Samba-3 on SuSE 9.0 Pro as a PDC with an LDAP backend, and decommissioning the NT4 PDC at the same time. So far, so good. We can also rebuild the old PDC hardware as a Samba-3 on SuSE 9.0 Pro BDC. Unfortunately however, the NT4 BDC cannot be removed from the network for another six months, as it hosts a vertical application key to the business and used every day by some 100 users at the client. In addition, the configuration of this BDC is quite complex; reinstalling the OS and the vertical application would be a challenge and, given the various customizations to the vertical application, not likely to succeed. Two questions then: 1. What are the implications of leaving this existing NT4 BDC in place with a new Linux-Samba-3 PDC (and possibly a new Linux-Samba BDC)? The NT BDC will soon fall out of date with your Samba PDC (assuming you migrated the NT4 PDC to Samba-3). Samba-3 does not support the NT4 domain SAM replication protocols. You will soon have a broken network - unless you can deomte the NT4 BDC to a Stand-Alone server (which will stop it from performing domain control functions such as network logon handling and SAM replication). Yup, we know that SAM replication isn't there between NT4 and Samba. The other option we've uncovered is to dcpromo the NT4 server to a PDC, migrate the accounts to the Samba server (which will also think its the PDC), and then shut off LMAnnounce on the NT4 server via a registry entry. (we would decommission the other NT4 DC.) We may also try disabling the NT4's Server service as well. The critical application relies on Exchange 5.5, which also runs on this NT4 server. We have been told that Exchange may fail if it wakes up after a reboot and finds it is no longer living on a DC. So, turning off LMAnnounce (we believe) will result in the NT4 box thinking it is still a PDC, but no clients on the network will ever talk to it, so it will just be a lonely PDC. And if Exchange needs PDC services, those will still be available locally. The domain user accounts used by Exchange are not person-specific, so they will never change and we need not worry about maintaining perfect correlation between Samba and this NT4 box. We just need to make sure the NT4 box can't ever perform DC services on the domain. 2. Has anyone used UPromote, which claims to do be able to demote an NT4 BDC to a member server without reinstalling the OS? (See http://utools.com/UPromote.asp for more info.) That's a neat tool. It looks like it will permit you to demote the BDC to a Stand-Alone server, but be careful! You may find that the vertical application requires support for certain protocols that may not be supported by a Samba domain controller. The app's domain needs are limited to moving files around between this box and three others via mapped drives. The box should still be able to browse the network, so I think we are probably OK. The trick bits for the app are the ways it moves and processes files through Exchange. You could test this by using Norton Ghost to clone the BDC, then demote the BDC using the UPromote tool, then test the application in a Samba domain. At least this will provide a conclusive answer. I too like to have rollback options! If we did the dcpromo trick above, and it didn't work, we could always put the other NT4 DC (now the BDC) back online, run dcpromo again to make the problem NT4 box a BDC, and try your Ghost/UPromote trick (also reversible). What do you think of the isolated PDC strategy above? Thanks! Mark -- __ L. Mark Stone President Reliable Networks of Maine, LLC 477 Congress Street, 5th Floor Portland, ME 04107 Tel: (207) 772-5678 Cell: (917) 597-2057 Email: [EMAIL PROTECTED] Web: http://www.RNoME.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration Question
On Fri, 2004-03-05 at 11:34, Craig White wrote: I am functioning with previous WinNT4 PDC unchanged after net rpc vampire operation with the exception that netlogon service has been disabled. Has been working - I cannot use the UserManager etc. tools from this machine though. Because Exchange 5.5 also lives on this box, we are concerned that we will break Exchange if we disable the netlogon service. But it's good to know that someone else is suffering through this successfully! Thanks! Mark -- __ L. Mark Stone President Reliable Networks of Maine, LLC 477 Congress Street, 5th Floor Portland, ME 04107 Tel: (207) 772-5678 Cell: (917) 597-2057 Email: [EMAIL PROTECTED] Web: http://www.RNoME.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration Question
On Fri, 2004-03-05 at 14:08, L. Mark Stone wrote: On Fri, 2004-03-05 at 11:34, Craig White wrote: I am functioning with previous WinNT4 PDC unchanged after net rpc vampire operation with the exception that netlogon service has been disabled. Has been working - I cannot use the UserManager etc. tools from this machine though. Because Exchange 5.5 also lives on this box, we are concerned that we will break Exchange if we disable the netlogon service. But it's good to know that someone else is suffering through this successfully! --- I'll bet you $1 that this works Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration Question
On Fri, 5 Mar 2004, L. Mark Stone wrote: Hi John! On Fri, 2004-03-05 at 13:14, John H Terpstra wrote: On Fri, 5 Mar 2004, L. Mark Stone wrote: A client has an existing NT4 domain with several NT4 servers. Two of the NT4 Servers function as a PDC and a BDC. We are installing Samba-3 on SuSE 9.0 Pro as a PDC with an LDAP backend, and decommissioning the NT4 PDC at the same time. So far, so good. We can also rebuild the old PDC hardware as a Samba-3 on SuSE 9.0 Pro BDC. Unfortunately however, the NT4 BDC cannot be removed from the network for another six months, as it hosts a vertical application key to the business and used every day by some 100 users at the client. In addition, the configuration of this BDC is quite complex; reinstalling the OS and the vertical application would be a challenge and, given the various customizations to the vertical application, not likely to succeed. Two questions then: 1. What are the implications of leaving this existing NT4 BDC in place with a new Linux-Samba-3 PDC (and possibly a new Linux-Samba BDC)? The NT BDC will soon fall out of date with your Samba PDC (assuming you migrated the NT4 PDC to Samba-3). Samba-3 does not support the NT4 domain SAM replication protocols. You will soon have a broken network - unless you can deomte the NT4 BDC to a Stand-Alone server (which will stop it from performing domain control functions such as network logon handling and SAM replication). Yup, we know that SAM replication isn't there between NT4 and Samba. The other option we've uncovered is to dcpromo the NT4 server to a PDC, migrate the accounts to the Samba server (which will also think its the PDC), and then shut off LMAnnounce on the NT4 server via a registry entry. (we would decommission the other NT4 DC.) We may also try disabling the NT4's Server service as well. The critical application relies on Exchange 5.5, which also runs on this NT4 server. We have been told that Exchange may fail if it wakes up after a reboot and finds it is no longer living on a DC. So, turning off LMAnnounce (we believe) will result in the NT4 box thinking it is still a PDC, but no clients on the network will ever talk to it, so it will just be a lonely PDC. And if Exchange needs PDC services, those will still be available locally. The domain user accounts used by Exchange are not person-specific, so they will never change and we need not worry about maintaining perfect correlation between Samba and this NT4 box. We just need to make sure the NT4 box can't ever perform DC services on the domain. Exchange 5.5 can be made to work with a Samba PDC. You will need to search the Samba mailing list archives to find clear instructions someone once posted on how to affect this. Do not mess with the NT4 registry or the Server service - this will potentially cripple your BDC server. Fortunately, a DBC will not change the SAM database, rather an NT4 BDC creates on the BDC a SAM delta file. The BDC depends on the PDC SAM replication service to synchronize that delta file to the PDC where it can be applied to the PDC SAM. The PDC SAM replication service then pushes that change back to the BDCs. This means that if Samba-3 is your PDC and you use an NT4 BDC you can lose machine security account password changes. This can result in breakdown in network security. The Samba-Team official line on NT4 PDC / Samba-3 BDC, or Samba-3 PDC and NT4 BDC, is that this can not work. You could isolate your BDC from the rest of the network, then promote it to a PDC. That will make Exchange happy and should keep your application happy, but it also disconnects the NT4 system from communication with the rest of the network. If the NT4 server must have network connectivity (interoperability) it should be demoted from being a BDC to a Stand-Alone server, then rejoin it to the Samba-3 domain. When you have done this, you will need to make registry changes so that Exchange can find the Samba-3 DCs. The main concern is not the domain control protocols - but rather how what services the application you have referred to needs. 2. Has anyone used UPromote, which claims to do be able to demote an NT4 BDC to a member server without reinstalling the OS? (See http://utools.com/UPromote.asp for more info.) That's a neat tool. It looks like it will permit you to demote the BDC to a Stand-Alone server, but be careful! You may find that the vertical application requires support for certain protocols that may not be supported by a Samba domain controller. The app's domain needs are limited to moving files around between this box and three others via mapped drives. The box should still be able to browse the network, so I think we are probably OK. The trick bits for the app are the ways it moves and processes files through Exchange. Are you sure that the application does not use any RPC calls to the domain? You
Re: [Samba] NT4 Migration Question
On Fri, 5 Mar 2004, Craig White wrote: On Fri, 2004-03-05 at 14:08, L. Mark Stone wrote: On Fri, 2004-03-05 at 11:34, Craig White wrote: I am functioning with previous WinNT4 PDC unchanged after net rpc vampire operation with the exception that netlogon service has been disabled. Has been working - I cannot use the UserManager etc. tools from this machine though. Because Exchange 5.5 also lives on this box, we are concerned that we will break Exchange if we disable the netlogon service. But it's good to know that someone else is suffering through this successfully! --- I'll bet you $1 that this works If that works then it should be possible to run the NT4 (ex: BDC demoted using the Upromote tool) as a domain member server of a Samba-3 domain. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration - Samba 3.0.2a + LDAP
On Mon, 2004-02-16 at 16:35, Beast wrote: * Andrew Bartlett [EMAIL PROTECTED] nulis: On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote: Hi! How can I maintain users old NT RIDs while migrating to Samba PDC when they start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. Maintaining the old RIDs is essential for migrating on-the-fly, because re-adding hundreds of computers to domain and losing local user profiles is not an option. The only way to achieve these requirement is to use pwdump on NT PDC. I don't see how this is relevant. 'net rpc vampire' gets the passwords very nicely and migrates much more than pwdump. As I said, in particular it gets the SIDs right. From there you'll get old RID and hashes for machine+useraccount. Beware that pwdump sometimes can not retrive the hashes and hashes for machine is not correct if machine is joined more than x months. x = unknown value, maybe 1 or 2. The issue would no doubt be the same for 'net rpc vampire', as they read the same password database. Thanks for asking, I have similar questions. Is there any (big) company migrate from NT4 to samba3 (with at least 500 clients)? How they migrate? build fresh domain name or using existing domain name? How they avoid re-join all clients? Any body here using samba 3 on production with 500 win clients? They use 'net rpc vampire', as documented in the HOWTO. This ensures that the SIDs are accurate, as are the passwords. The clients should not be able to tell the difference (or wont care, once you get the fundamentals right) You need to use 'ldapsam' or 'tdbsam', you cannot use smbpasswd. Both backends can store arbitrary RIDs, to satisfy exactly this requirement. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration - Samba 3.0.2a + LDAP
* Andrew Bartlett [EMAIL PROTECTED] nulis: On Mon, 2004-02-16 at 16:35, Beast wrote: * Andrew Bartlett [EMAIL PROTECTED] nulis: On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote: Hi! How can I maintain users old NT RIDs while migrating to Samba PDC when they start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. Maintaining the old RIDs is essential for migrating on-the-fly, because re-adding hundreds of computers to domain and losing local user profiles is not an option. The only way to achieve these requirement is to use pwdump on NT PDC. I don't see how this is relevant. 'net rpc vampire' gets the passwords very nicely and migrates much more than pwdump. As I said, in particular it gets the SIDs right. OK, Thanks. I'll try it again. Last time vampiring my NT (with samba 3.0.1), the samba password attribute was only filled with 'XXX' (it was from smb-ldaptools i guess) With pwdump, you get the full control of account creation as well as any necessary attributes. Good if you already has account stored on ldap for another purpose. From there you'll get old RID and hashes for machine+useraccount. Beware that pwdump sometimes can not retrive the hashes and hashes for machine is not correct if machine is joined more than x months. x = unknown value, maybe 1 or 2. The issue would no doubt be the same for 'net rpc vampire', as they read the same password database. Last week migrating my smallest site with 60+ pc clients, only 1 (one) machine which is joined recently is able to login, other need to rejoin to NT domain and then obtain the new machine password with pwdump. Random sample from other site which machine was joined more than 6 months old get same results. It was strange, renaming machine name won't change the password also. So far I've found no problem with account password. Bugs or expected behaviour? You need to use 'ldapsam' or 'tdbsam', you cannot use smbpasswd. Both backends can store arbitrary RIDs, to satisfy exactly this requirement. I use ldapsam only. Andrew Bartlett Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration - Samba 3.0.2a + LDAP
* Andrew Bartlett [EMAIL PROTECTED] nulis: On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote: Hi! How can I maintain users old NT RIDs while migrating to Samba PDC when they start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. Maintaining the old RIDs is essential for migrating on-the-fly, because re-adding hundreds of computers to domain and losing local user profiles is not an option. The only way to achieve these requirement is to use pwdump on NT PDC. From there you'll get old RID and hashes for machine+useraccount. Beware that pwdump sometimes can not retrive the hashes and hashes for machine is not correct if machine is joined more than x months. x = unknown value, maybe 1 or 2. Thanks for asking, I have similar questions. Is there any (big) company migrate from NT4 to samba3 (with at least 500 clients)? How they migrate? build fresh domain name or using existing domain name? How they avoid re-join all clients? Any body here using samba 3 on production with 500 win clients? Samba will first try to match names to SIDs via getpwnam(). If you are concerned by the algorithmic assignment of SIDs conflicting with the NT4 sids, then you might want to use 'algorithmic rid base = large number' to 'push' the algorithmic RIDs higher. This is not answer the original questions, IMO. Using new rid will force user to create new profile instead of using old profile, even if domain SID and domain Name is same. Any acl which based on old rid will be mark as 'unknown account'. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NT4 Migration - Samba 3.0.2a + LDAP
Hi! How can I maintain users old NT RIDs while migrating to Samba PDC when they start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. Maintaining the old RIDs is essential for migrating on-the-fly, because re-adding hundreds of computers to domain and losing local user profiles is not an option. Any help with this is appreciated! -- Pirkka -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration - Samba 3.0.2a + LDAP
On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote: Hi! How can I maintain users old NT RIDs while migrating to Samba PDC when they start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. Maintaining the old RIDs is essential for migrating on-the-fly, because re-adding hundreds of computers to domain and losing local user profiles is not an option. Samba will first try to match names to SIDs via getpwnam(). If you are concerned by the algorithmic assignment of SIDs conflicting with the NT4 sids, then you might want to use 'algorithmic rid base = large number' to 'push' the algorithmic RIDs higher. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Fwd: Re: [Samba] NT4 migration]
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NT4 migration
Hi I am using samba-3.0.0beta3-1.i386.rpm on RedHat 9... trying to migrate from NT4 PDC to Samba PDC... reading the HOW-TO document at step 6 whioch is net rpc vampire... Unsuccessfull... when i do #net rpc vampire -S NTSERVER -U Administrator%password All NT users are created in /etc/passwd file and also home directories created without any problem..but only few user entries are created in smbpasswd file!!!. i see following error messages for which user entries are not created in smbpasswd file... Treat user1 as a user name for which entry in smbpasswd is not created..but i can see user1 in /etc/passwd and also directory is created under /home/user1 Creating account: user1 [2003/07/17 13:29:01, 0] passdb/pdb_smbpasswd.c:build_smb_pass(1129) build_sam_pass: Failing attempt to store user with non-uid based user RID. [2003/07/17 13:29:01, 1] utils/net_rpc_samsync.c:fetch_account_info(467) SAM Account for user1 failed to be added to the passdb! This above error eventually means the user entries which are not created in smbpasswd file cannot log in to Samba PDC with Best Regards YS -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba