Re: [Samba] NT4 Migration - Samba 3.0.2a + LDAP
On Mon, 2004-02-16 at 16:35, Beast wrote: * Andrew Bartlett [EMAIL PROTECTED] nulis: On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote: Hi! How can I maintain users old NT RIDs while migrating to Samba PDC when they start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. Maintaining the old RIDs is essential for migrating on-the-fly, because re-adding hundreds of computers to domain and losing local user profiles is not an option. The only way to achieve these requirement is to use pwdump on NT PDC. I don't see how this is relevant. 'net rpc vampire' gets the passwords very nicely and migrates much more than pwdump. As I said, in particular it gets the SIDs right. From there you'll get old RID and hashes for machine+useraccount. Beware that pwdump sometimes can not retrive the hashes and hashes for machine is not correct if machine is joined more than x months. x = unknown value, maybe 1 or 2. The issue would no doubt be the same for 'net rpc vampire', as they read the same password database. Thanks for asking, I have similar questions. Is there any (big) company migrate from NT4 to samba3 (with at least 500 clients)? How they migrate? build fresh domain name or using existing domain name? How they avoid re-join all clients? Any body here using samba 3 on production with 500 win clients? They use 'net rpc vampire', as documented in the HOWTO. This ensures that the SIDs are accurate, as are the passwords. The clients should not be able to tell the difference (or wont care, once you get the fundamentals right) You need to use 'ldapsam' or 'tdbsam', you cannot use smbpasswd. Both backends can store arbitrary RIDs, to satisfy exactly this requirement. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration - Samba 3.0.2a + LDAP
* Andrew Bartlett [EMAIL PROTECTED] nulis: On Mon, 2004-02-16 at 16:35, Beast wrote: * Andrew Bartlett [EMAIL PROTECTED] nulis: On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote: Hi! How can I maintain users old NT RIDs while migrating to Samba PDC when they start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. Maintaining the old RIDs is essential for migrating on-the-fly, because re-adding hundreds of computers to domain and losing local user profiles is not an option. The only way to achieve these requirement is to use pwdump on NT PDC. I don't see how this is relevant. 'net rpc vampire' gets the passwords very nicely and migrates much more than pwdump. As I said, in particular it gets the SIDs right. OK, Thanks. I'll try it again. Last time vampiring my NT (with samba 3.0.1), the samba password attribute was only filled with 'XXX' (it was from smb-ldaptools i guess) With pwdump, you get the full control of account creation as well as any necessary attributes. Good if you already has account stored on ldap for another purpose. From there you'll get old RID and hashes for machine+useraccount. Beware that pwdump sometimes can not retrive the hashes and hashes for machine is not correct if machine is joined more than x months. x = unknown value, maybe 1 or 2. The issue would no doubt be the same for 'net rpc vampire', as they read the same password database. Last week migrating my smallest site with 60+ pc clients, only 1 (one) machine which is joined recently is able to login, other need to rejoin to NT domain and then obtain the new machine password with pwdump. Random sample from other site which machine was joined more than 6 months old get same results. It was strange, renaming machine name won't change the password also. So far I've found no problem with account password. Bugs or expected behaviour? You need to use 'ldapsam' or 'tdbsam', you cannot use smbpasswd. Both backends can store arbitrary RIDs, to satisfy exactly this requirement. I use ldapsam only. Andrew Bartlett Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration - Samba 3.0.2a + LDAP
* Andrew Bartlett [EMAIL PROTECTED] nulis: On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote: Hi! How can I maintain users old NT RIDs while migrating to Samba PDC when they start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. Maintaining the old RIDs is essential for migrating on-the-fly, because re-adding hundreds of computers to domain and losing local user profiles is not an option. The only way to achieve these requirement is to use pwdump on NT PDC. From there you'll get old RID and hashes for machine+useraccount. Beware that pwdump sometimes can not retrive the hashes and hashes for machine is not correct if machine is joined more than x months. x = unknown value, maybe 1 or 2. Thanks for asking, I have similar questions. Is there any (big) company migrate from NT4 to samba3 (with at least 500 clients)? How they migrate? build fresh domain name or using existing domain name? How they avoid re-join all clients? Any body here using samba 3 on production with 500 win clients? Samba will first try to match names to SIDs via getpwnam(). If you are concerned by the algorithmic assignment of SIDs conflicting with the NT4 sids, then you might want to use 'algorithmic rid base = large number' to 'push' the algorithmic RIDs higher. This is not answer the original questions, IMO. Using new rid will force user to create new profile instead of using old profile, even if domain SID and domain Name is same. Any acl which based on old rid will be mark as 'unknown account'. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NT4 Migration - Samba 3.0.2a + LDAP
Hi! How can I maintain users old NT RIDs while migrating to Samba PDC when they start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. Maintaining the old RIDs is essential for migrating on-the-fly, because re-adding hundreds of computers to domain and losing local user profiles is not an option. Any help with this is appreciated! -- Pirkka -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration - Samba 3.0.2a + LDAP
On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote: Hi! How can I maintain users old NT RIDs while migrating to Samba PDC when they start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. Maintaining the old RIDs is essential for migrating on-the-fly, because re-adding hundreds of computers to domain and losing local user profiles is not an option. Samba will first try to match names to SIDs via getpwnam(). If you are concerned by the algorithmic assignment of SIDs conflicting with the NT4 sids, then you might want to use 'algorithmic rid base = large number' to 'push' the algorithmic RIDs higher. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
