DOMAIN SID
Hi ! Where the DOMAIN SID is stored when the LDAP backend is used ? greetz boka --- Hackman i De Vito poka Ci, co znaczy prawdziwa mio... do pienidzy! SKOK w kinach - od 29 listopada http://film.wp.pl/p/film.html?id=1782
Re: DOMAIN SID
On Thu, 2002-11-28 at 11:38, [EMAIL PROTECTED] wrote: Hi ! Where the DOMAIN SID is stored when the LDAP backend is used ? it's in one of the tdb files... if you put a text file MACHINE.SID in your conf area it still gets imported (if i remember correctly) brad -- Bradley W. Langhorst [EMAIL PROTECTED]
Re: DOMAIN SID
On Thu, Nov 28, 2002 at 01:23:31PM -0500, Bradley W. Langhorst wrote: On Thu, 2002-11-28 at 11:38, [EMAIL PROTECTED] wrote: Hi ! Where the DOMAIN SID is stored when the LDAP backend is used ? it's in one of the tdb files... secrets.tdb, namely. -- cheers, ++ |Rafal 'Mimir' Szczesniak [EMAIL PROTECTED] | |*BSD, GNU/Linux and Samba / |__/
Re: DOMAIN SID
On Fri, 2002-11-29 at 05:23, Bradley W. Langhorst wrote: On Thu, 2002-11-28 at 11:38, [EMAIL PROTECTED] wrote: Hi ! Where the DOMAIN SID is stored when the LDAP backend is used ? it's in one of the tdb files... Just as a note - it has been proposed that in Samba HEAD we should store it in LDAP - I would like to see a 'domain' record that contains things like this, account policies - so we don't need to worry about TDBs for basic PDC/BDC operation. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: Domain SID for BDC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 btw...i setup a Samba PDC using LDAP by copying the secrets.tdb file and the setting the domain SID (using smbpasswd). Worked fine. Did not need to reent the ldap admin pw again. Yes, worked for me as well. Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Fingerprint available: phone +49 551 370 iD8DBQE9BJqgZeeQha3jd9gRAlW5AJ9nHfufvvTiywgkI4eXuHHyEPh3GwCeJ2mP pgsMvM8PC2KrOUq/KWOPJd4= =f1Nn -END PGP SIGNATURE-
Re: Domain SID for BDC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I just added a -S switch to smbpasswd in SAMBA_2_2 to suck the sid from a DC. My tests show up ok. Can you test this? I'll update the man page shortly. For me it worked well, thanks! I'm using it in about an hour in my Linuxtag talk ;-) Thanks, Volker (fingers crossed) -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Fingerprint available: phone +49 551 370 iD8DBQE9AbHWZeeQha3jd9gRAis4AJ0XTcugnRdbfTRgCVxI1JuGi19w6wCeIBFH IUIUEgTXaGPb4B9lWikOe5Q= =oNGH -END PGP SIGNATURE-
Re: Domain SID for BDC
On Sat, 8 Jun 2002 [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I just added a -S switch to smbpasswd in SAMBA_2_2 to suck the sid from a DC. My tests show up ok. Can you test this? I'll update the man page shortly. For me it worked well, thanks! I'm using it in about an hour in my Linuxtag talk ;-) btw...i setup a Samba PDC using LDAP by copying the secrets.tdb file and the setting the domain SID (using smbpasswd). Worked fine. Did not need to reent the ldap admin pw again. cheers, jerry
Re: Domain SID for BDC
On Thu, 6 Jun 2002 [EMAIL PROTECTED] wrote: One thing that struck me today is the fact that if you copy the secrets.tdb to another machine, smbd will generate a new SID for the machine and hand this out on lsaquery. The only way to create a working BDC with 2.2.5 is to manually generate a MACHINE.SID from the PDC with rpcclient/lsaquery, copy this over to the BDC with no secrets.tdb and then start smbd on the BDC. It will then suck the MACHINE.SID into a secrets.tdb and delete MACHINE.SID. This should at least be documented I just added a -S switch to smbpasswd in SAMBA_2_2 to suck the sid from a DC. My tests show up ok. Can you test this? I'll update the man page shortly. smbpasswd -S [-r machine] It's a little awkward in that it grabs the domain from smb.conf in case it needs to look up a pdc. However, if the -r option is used, it will grab the sid from that machine regardless of the domain. I'll try to clean this up some. Please test and let me know. Note that you can also do this to suck the SID from a Windows NT PDC for migration purposes. :-) if not fixed. It's also a bit annoying that you have to manually add the LDAP admin password on each BDC after the secrets.tdb is created. Ok, you should have a separate admin password for each LDAP replica, but how practial is that? ;-) I think this is ok. With the new smbpasswd option, you should be able to simply copy the secrets.tdb file and set the domain sid in it. The ldap admin pw should remain ok as long as you don't change the ldap admin dn. cheers, jerry - Hewlett-Packard http://www.hp.com SAMBA Team http://www.samba.org --http://www.plainjoe.org Sam's Teach Yourself Samba in 24 Hours 2ed. ISBN 0-672-32269-2 --I never saved anything for the swim back. Ethan Hawk in Gattaca--