[Samba] net rpc vampire problems
I am trying to vampire the account database from my NT 4 DC (that has SP6A installed). The DC's name is nemesis. The samba computer's name is mjollnir. The directions seem trivial: 1.) Join the Domain as a BDC with: net rpc join -S nemesis -W WHSD -U Administrator this worked fine and I can see the computer listed in server manager with type Windows NT Backup 2.) Run the vampire command: net rpc vampire -S nemesis -U Administrator -W WHSD this returns: Fetching DOMAIN database Failed to fetch domain database: NT_STATUS_INVALID_COMPUTER_NAME I've tried this on another NT 4 DC in a different domain with the same results. Am I missing a step? It seems like my situation would be the default for this and that everyone would be getting this error yet I can't find it documented anywhere. I'd really like to get these domains moved to samba and really appreciate any help. My smb.conf is: [global] workgroup = WHSD server string = mjollnir server netbios name = MJOLLNIR printcap name = /etc/printcap load printers = yes log file = /var/log/samba/log.%m max log size = 50 security = USER #security = DOMAIN #password server = GENESIS encrypt passwords = true passdb backend = tdbsam #smb passwd file = /etc/samba/smbpasswd allow trusted domains = No socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain logons = Yes domain master = No preferred master = no #wins server = 10.1.2.2 dns proxy = no log level = 3 add user script = /usr/sbin/useradd -m '%u' add group script = /usr/sbin/groupadd '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u' client schannel = no [netlogon] path = /var/lib/samba/netlogon guest ok = Yes locking = No [tmp] path = /var/lib/samba/tmp read only = no browseable = no guest ok = yes I've attached the output of: net rpc vampire -S nemesis -U Administrator -W WHSD -d 10 to this message in case it is helpful in any way. [2007/05/30 11:13:14, 5] lib/debug.c:debug_dump_status(391) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 [2007/05/30 11:13:14, 3] param/loadparm.c:lp_load(4945) lp_load: refreshing parameters [2007/05/30 11:13:14, 3] param/loadparm.c:init_globals(1410) Initialising global parameters [2007/05/30 11:13:14, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2007/05/30 11:13:14, 3] param/loadparm.c:do_section(3687) Processing section [global] doing parameter workgroup = WHSD doing parameter server string = mjollnir server doing parameter netbios name = MJOLLNIR [2007/05/30 11:13:14, 4] param/loadparm.c:handle_netbios_name(3045) handle_netbios_name: set global_myname to: MJOLLNIR doing parameter printcap name = /etc/printcap doing parameter load printers = yes doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = USER doing parameter encrypt passwords = true doing parameter passdb backend = tdbsam doing parameter allow trusted domains = No doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter local master = no doing parameter domain logons = Yes doing parameter domain master = No doing parameter preferred master = no doing parameter dns proxy = no doing parameter log level = 3 doing parameter add user script = /usr/sbin/useradd -m '%u' doing parameter add group script = /usr/sbin/groupadd '%g' doing parameter add user to group script = /usr/sbin/usermod -G '%g' '%u' doing parameter add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u' doing parameter client schannel = no [2007/05/30 11:13:14, 4] param/loadparm.c:lp_load(4976) pm_process() returned Yes [2007/05/30 11:13:14, 7] param/loadparm.c:lp_servicenumber(5112) lp_servicenumber: couldn't find homes [2007/05/30 11:13:14, 10] param/loadparm.c:set_server_role(4221) set_server_role: role = ROLE_DOMAIN_BDC [2007/05/30 11:13:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2LE [2007/05/30 11:13:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2LE [2007/05/30 11:13:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16LE [2007/05/30 11:13:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16LE [2007/05/30 11:13:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2BE [2007/05/30 11:13:14, 5]
[Samba] net rpc vampire problems
Hi guys, I'm trying to fix this issue with creating machine accounts from net rpc vampire, just to confirm from the looks of things, this command actually calls the add machine script value from smb.conf ? so it doesn't pass through a password to this.. ? I'm not sure how the script would be getting a password as the recommended value for the line was; add machine script = /usr/local/sbin/smbldap-useradd -w '%u' Which I assume is username for COMP1$ COMP2$ etc... so how do machine accounts (theoretically) get labelled with their LM / NT hashes? Regards Eric -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire problems
But if I user lowercase, it works. I wasn't aware of a restriction on creating uppercase usernames. Is this supposed to happen? Anyone else know why my machine accounts aren't getting migrated? Pretty please? Dan, What flavor of Linux are you using. I just did a migration using Samba 3.0 and RedHat ES 3.0. I ran into the same problem. That is because RedHat does not allow you to create user names with uppercase letters. The other problem I had was with group names. The way I got around it was to write my own scripts that change the machine name from upper to lower case. I put the reference in the smb.conf: add machine script = xx.sh This is the script:** #!/bin/sh # Script to add machines # Checks to see if a command line argument was passwd if [ $# -eq 0 ] then echo . echo Did not pass an argument on the command line echo usage: conv.sh \THIS is a TEST\ echo . exit 0 fi # Passes the command line argument. Reduces the string length and converts to lower case lower=`echo $1 | sed y/[ABCDEFGHIJKLMNOPQRSTUVWXYZ\ ]/[abcdefghijklmnopqrstuvwxyz\_]/` #This is the section in which you call the useradd and pass the Unix compliant name /usr/sbin/useradd -g machines -s /sbin/nologin -d /dev/null $lower exit 0 It doesn't make any difference if I run the above script or not. The creation of the machine trust account still fails. Interestingly, if I run manually: useradd DKASAK$ I get the error: useradd: invalid user name 'DKASAK$' But if I user lowercase, it works. I wasn't aware of a restriction on creating uppercase usernames. Is this supposed to happen? Anyone else know why my machine accounts aren't getting migrated? Pretty please? Dan -- Daniel Kasak IT Developer NUS Consulting Group Level 5, 77 Pacific Highway North Sydney, NSW, Australia 2060 T: (+61) 2 9922-7676 / F: (+61) 2 9922 7989 email: [EMAIL PROTECTED] website: http://www.nusconsulting.com.au -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire problems
[EMAIL PROTECTED] wrote: But if I user lowercase, it works. I wasn't aware of a restriction on creating uppercase usernames. Is this supposed to happen? Anyone else know why my machine accounts aren't getting migrated? Pretty please? Dan, What flavor of Linux are you using. I'm running Gentoo ( current ). I just did a migration using Samba 3.0 and RedHat ES 3.0. I ran into the same problem. That is because RedHat does not allow you to create user names with uppercase letters. I tried the script below. I had to edit out an extra '_' at the end of the sed bit. The command works great if I run it myself from a console, but when I point the add user script at it, I still get the same problem, but only about 50% of the time ... some accounts are getting created. However NONE of the machine accounts created let me log into the new domain from a PC that was already on the old network - I still get the 'this machine's account is missing or the password is wrong' error. Maybe someone can satisfy my curiosity here... WTF is supposed to be going on in the machine account creation? The adduser script is called ( which in my case doesn't work ). So say I have created these machine accounts by hand already. What's next? The password bit, right? Can I do this myself too? Where does the machine account's password go ... in /etc/shadow? Can I get it from somewhere and add it myself? On a side note, the not-being-able-to-create-uppercase-usernames issues needs to be fixed... Anyway, thanks to those that have helped so far. The other problem I had was with group names. The way I got around it was to write my own scripts that change the machine name from upper to lower case. I put the reference in the smb.conf: add machine script = xx.sh This is the script:** #!/bin/sh # Script to add machines # Checks to see if a command line argument was passwd if [ $# -eq 0 ] then echo . echo Did not pass an argument on the command line echo usage: conv.sh \THIS is a TEST\ echo . exit 0 fi # Passes the command line argument. Reduces the string length and converts to lower case lower=`echo $1 | sed y/[ABCDEFGHIJKLMNOPQRSTUVWXYZ\ ]/[abcdefghijklmnopqrstuvwxyz\_]/` #This is the section in which you call the useradd and pass the Unix compliant name /usr/sbin/useradd -g machines -s /sbin/nologin -d /dev/null $lower exit 0 It doesn't make any difference if I run the above script or not. The creation of the machine trust account still fails. Interestingly, if I run manually: useradd DKASAK$ I get the error: useradd: invalid user name 'DKASAK$' But if I user lowercase, it works. I wasn't aware of a restriction on creating uppercase usernames. Is this supposed to happen? Anyone else know why my machine accounts aren't getting migrated? Pretty please? Dan -- Daniel Kasak IT Developer NUS Consulting Group Level 5, 77 Pacific Highway North Sydney, NSW, Australia 2060 T: (+61) 2 9922-7676 / F: (+61) 2 9922 7989 email: [EMAIL PROTECTED] website: http://www.nusconsulting.com.au -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- Daniel Kasak IT Developer NUS Consulting Group Level 5, 77 Pacific Highway North Sydney, NSW, Australia 2060 T: (+61) 2 9922-7676 / F: (+61) 2 9922 7989 email: [EMAIL PROTECTED] website: http://www.nusconsulting.com.au -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire problems
Looks like you don;t have group maps done So execute followinf script for group mapping then do vampire... #!/bin/bash Keep this as a shell script for future re-use # First assign well known groups net groupmap modify ntgroup=Account Operators unixgroup=root net groupmap modify ntgroup=Administrators unixgroup=root net groupmap modify ntgroup=Backup Operators unixgroup=bin net groupmap modify ntgroup=Domain Admins unixgroup=ntadmins net groupmap modify ntgroup=Domain Guests unixgroup=nobody net groupmap modify ntgroup=Domain Users unixgroup=users net groupmap modify ntgroup=Guests unixgroup=nobody net groupmap modify ntgroup=Power Users unixgroup=sys net groupmap modify ntgroup=Print Operators unixgroup=lp net groupmap modify ntgroup=Replicators unixgroup=daemon net groupmap modify ntgroup=System Operators unixgroup=sys net groupmap modify ntgroup=Users unixgroup=users -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire problems
Hi all.
I'm trying to migrate our NT4 domain to Samba-3.0.1-rc3.
My smb.conf:
[global]
netbios name = vp
workgroup = NUSAUS
server string = Samba Server %v
bind interfaces only = true
#interfaces = 192.168.0.1/24
interfaces = 10.146.1.100/24
passdb backend = tdbsam
log level = 5
log file = /var/log/samba3/log.%m
max log size = 50
name resolve order = wins lmhosts bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
add user script = /usr/sbin/useradd -s /bin/false '%u'
delete user script = /usr/sbin/userdel '%s'
add group script = /usr/sbin/groupadd %g getent group '%g'|awk
-F: '{print $3}'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/bin/gpasswd -a '%u' '%g'
delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
set primary group script = /usr/sbin/usermod -g '%g' '%u'
domain logons = Yes
os level = 33
preferred master = Yes
domain master = No
wins support = Yes
printer admin = @adm
printing = cups
preserve case = No
logon drive =
logon home =
logon script = drives.bat
[netlogon]
comment = Network Logon Service
I can join the domain ( as long as I specify the IP address with the -I
flag ).
When I run the 'vampire' command, I get the following errors for each
machine / user:
Creating account: DKASAK$
Could not create posix account info for 'DKASAK$'
Creating account: dkasak
[2003/12/15 13:44:00, 0] utils/net_rpc_samsync.c:fetch_account_info(497)
Could not find unix group 4294967295 for user dkasak (group
SID=S-1-5-21-667748849-896033114-1233803906-513)
Each user already has an account set up on the computer ( I'm already
running a mail server ), but the machine trust account creation
shouldn't be failing.
The users are imported into samba, and I can see them with 'pdbedit -L',
however when I move the samba server a test PC off onto another
network ( and set 'Domain Master' to 'Yes' and change the 'interfaces'
line ) and try to log on to the domain, I get an error that the machine
trust account doesn't exist, or the password for the account is incorrect.
The trust account doesn't seem to be created at all. Any idea why?
--
Daniel Kasak
IT Developer
NUS Consulting Group
Level 5, 77 Pacific Highway
North Sydney, NSW, Australia 2060
T: (+61) 2 9922-7676 / F: (+61) 2 9922 7989
email: [EMAIL PROTECTED]
website: http://www.nusconsulting.com.au
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
