[Samba] Seamless update from Samba 2 to Samba 3 on a new server
Remy Zandwijk
remy.zandwijk at falw.vu.nl
Sat May 24 19:21:53 GMT 2008
Florian,
An obvious question maybe, but does your local passwd file contain the machine
accounts? And why do you copy the secrets.tdb? I think that's not needed.
Remy
> Hi,
>
> I'm new to the list, I hope i'm posting at the right place ;)
>
> I'm having a hard time trying to update and to move my Samba 2.2 PDC to a
> new Debian server.
>
> Currently, the PDC is using Samba 2.2.8 on a Solaris Server. My goal is to
> move it to another computer, and to update it to a
>
> newer version (3.0.24)
> This must be fully transparent for the users, since I have no time to
> disjoin and to rejoin the domain on all machines.
> I'm using the smbpassword backend, and a NIS server. The NIS stores all
> the Unix accounts, but the machine accounts are local.
> The domain name is SMBDOM.
> The PDC is called aldebaran, and has the Netbios name PDC.
>
> I've caught SID of the old machine, with the smbpasswd -X SMBDOM, which is
> the same than the one I get with smbpasswd -X PDC.
>
> Now, I've installed my Samba 3 server on the new machine, which uses the
> same hostname and the same Netbios name.
> I've set the SID to the old domain one, using net setlocalsid
> olddomainsid, and net setlocalsid olddomainsid.
>
> I've also copied the smb.conf, and the secrets.tdb, and done the group
> mappings.
> Here is the result of the net groupmap list command :
>
> testpdc:/var/log/samba# net groupmap list
> Domain Admins (S-1-5-21-2616637325-650964048-2930221742-512) -> adminasr
> Domain Computers (S-1-5-21-2616637325-650964048-2930221742-515) -> machines
>
>
> The problem is that the old domain computers can't join the new domain.
> I'm having the message "Windows can't connect... The
>
> server might not be running, or your machine account has not been
> found..." or something like that.
>
> Here is what I can see in the logs :
>
> [2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
> creds_server_check: credentials check failed.
> [2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
> _net_auth2: creds_server_check failed. Rejecting auth request from
> client CYANN machine account CYANN$
> [2008/05/23 15:20:00, 2] libsmb/credentials.c:creds_server_check(218)
> creds_server_check: credentials check failed.
> [2008/05/23 15:20:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
> _net_auth2: creds_server_check failed. Rejecting auth request from
> client CYANN machine account CYANN$
>
>
> When running pdbedit -vL with my username for example, everything seems
> fine :
>
> testpdc:/var/log/samba# pdbedit -vL marinier
> Unix username: marinier
> NT username:
> Account Flags: [UX ]
> User SID: S-1-5-21-2616637325-650964048-2930221742-3324
> Primary Group SID: S-1-5-21-2616637325-650964048-2930221742-513
> Full Name: Florian Marinier
> Home Directory: \\pdc\marinier
> HomeDir Drive: u:
> Logon Script: montage.bat marinier
> Profile Path:
> Domain: SMBDOM
> Account desc:
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: Tue, 19 Jan 2038 04:14:07 CET
> Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
> Password last set: Fri, 04 Apr 2008 15:53:44 CEST
> Password can change: Fri, 04 Apr 2008 15:53:44 CEST
> Password must change: Tue, 19 Jan 2038 04:14:07 CET
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> The SID is the right one.
>
> When running pdbedit -vL cyann$ (which is one of my machine accounts)
>
> testpdc:/var/log/samba# pdbedit -vL cyann$
> Unix username: cyann$
> NT username:
> Account Flags: [W ]
> User SID: S-1-5-21-2616637325-650964048-2930221742-2820
> Primary Group SID: S-1-5-21-2616637325-650964048-2930221742-515
> Full Name: Trust Account
> Home Directory:
> HomeDir Drive: (null)
> Logon Script:
> Profile Path:
> Domain: SMBDOM
> Account desc:
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: Tue, 19 Jan 2038 04:14:07 CET
> Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
> Password last set: Wed, 18 Apr 2007 18:28:27 CEST
> Password can change: Wed, 18 Apr 2007 18:28:27 CEST
> Password must change: Tue, 19 Jan 2038 04:14:07 CET
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> the SID and domain are the right ones...
> But I still can't log in :(
>
> I may have an answer, but i'd be glad to have a confirmation :
> On my old Solaris server, my machines group had the GID 101.
> And on my new Debian Server, the GID 101 is already used by Crontab, so I
> chose another GID.
>
> May it be the source of all my problems?
>
>
>
> PS : However, when i disjoin and rejoin the domain, everything seems Ok.
>
> Does anyone have a clue?
>
> Thanks,
>
> Florian
>
More information about the samba
mailing list