[Samba] Re: net rpc vampire - cannot login to migrated computer
accounts
Christoph Peus
cp at peus.net
Sun Nov 13 19:50:09 GMT 2005
John H Terpstra wrote:
>>Aha. That's a clear statement.
>>It's true that the DC was downgraded from Windows 2000 to NT4, because the
>>original domain is Windows 2000/AD runinng in mixed mode, but every
>>reference to "net rpc vampire" and "AD in mixed mode" says that this works.
>>Is it possible that "net rpc vampire" works only partially when used with
>>AD/mixed mode?
>
>
> The "net rpc vampire" migration process will migrate all accounts from ADS to
> Samba-3 (NT4-style domain), but all machines will need to re-join the domain.
John, thanks for confirming this information.
> NT4 domain accounts can be migrated without need for domain members to be
> rejoined to the domain. The "net rpc vampire" is inherently an NT4-style
> migration process.
>
> Samba-3 is not capable of being an ADS server, hence the need for domain
> members to be re-joined to the domain.
I know that "net rpc vampire" is NT4-style and that samba-3 is not capable
of being an ADS server, but does this imply that the migration of maschine
accounts (which work afterwards) from a mixed mode AD is not possible? My
understanding of "AD in mixed mode" has been that it's NT4-compatible to
some degree and I doubt that the typical user (e.g. myself) has enough
knowledge of the AD internals to know that this compatibility applies to
users and groups but not to maschine accounts.
Another point: The fact that "net rpc vampire" offers no option for a
"user/group accounts only" migration suggests that migrating maschine
accounts is generally sensefull, but what are maschine accounts worth, when
maschines cannot login to them afterwards and which have to be recreated
anyway by rejoining the domain?
I read the migration chapters of your books carefully and found no
reference to a "net rpc vampire" migration from a mixed mode AD. I searched
the internet up and down for further information regarding my migration
project, found a lot of Howtos and newsgroup postings, but nothing which
said that migration of maschine accounts isn't possible in this
environment, and I asked a samba team member at the SambaXP conference, who
personally told me that "net rpc vampire works for AD/mixed mode", which
means to me, that it works *completely*.
So, I just write all this to point out that I'm not in the situation I'm in
now because I've ignored the available documentation - to answer your other
posting in this thread - but because I read it carefully and listened to
the gurus. Obviously this wasn't sufficient.
Please:
- Add one sentence to the migration chapters of your books, which point out
that maschine accounts won't work afterwards when migrated from a mixed
mode AD and that maschines will have to rejoin the domain.
- "net rpc vampire" should offer an "skip maschine accounts" option for
those users who want to migrate from mixed mode AD.
Thanks!
>>BTW: I'm not the first to encounter this problem. Another samba user (Kang
>>Sun) reported exactly the same problem about a year ago, but didn't get an
>>answer.
>
>
> The mailing list is a subscriber supported facility. If anyone has an urgent
> need for answers they should obtain paid support. Please refer to the Samba
> web site for information regarding paid support sources.
I didn't mention this to claim that it's your duty to answer every question
in a newsgroup (of course it's not!), but to point out that this question
may be worth answering in general, esspecially because you can run into
this problem though you have read the docs carefully, as I've tried to
explain above.
Christoph
PS: Is it known what's the cause for this maschine account incompatibility
in detail? No way of reverting a client to a NT4-style trust to the samba-PDC?
More information about the samba
mailing list