Changing Domains from NT4 / AD 2000

Kirk Shimek Kirk.Shimek at
Thu Apr 12 13:10:04 GMT 2001

Thanks Don,

A follow on config question.  I understand the work around . . . how do I handle the fact that my users' NT account names are not the same as the UNIX account names?  i.e. NT uses shimekk / whereas UNIX uses kshimek, AND ALL the accounts already exist.  Does the user-name-map option work here.  I'm already using it.  But before I affect ~300 users, I would like to know the effects, if any.

Also, I suppose to make the change to security = server I need to modify the smb.conf file and shutdown and restart smbd and nmbd . . .correct.

Again, thanks for the quick response.  You guys rock at SAMBA!

Hi Kirk,
Don't know if this is your problem or not, but when working with 2.0.7 on 
HP-UX 11.0, we found this irregularity (only for nt users that had been
moved from
an NT 4.0 domain to a Win2k Domain):
When Windows users are migrated from Windows NT to Windows 2000 
domains, to maintain backward access permissions, the migration tools 
add whats called as SID history to the users accounts. 
When Samba server is used in domain authentication mode with migrated 
users the authentications fails. 
The problem is that due to the addition of old security ids (called as 
SIDHistory) to the user accounts, when Samba authenticates a user 
against a Windows 2000 server, if the user is authenticated properly, 
Win2k returns more information than what samba expects. Consequently 
Samba fails with buffer overflow error.

You should be able to determine if this is happening to you by turning up
log level and reproducing the failure, then looking thru the log file for a 
buffer overflow...

When a user is migrated from Windows NT to Windows 2000 running
in native mode, Win2K preserves the users old SID information in
a Win2K native attribute called SID History.
When samba authenticates such a user successfully against the
Windows 2000 server (giving rightusername and password), Windows 
2K appends SID history to the response. Samba isn't ready (not coded) 
to handle the extra SID information returned by Win2K servers, so it fails.
Work around is to use the the Samba in server security mode.

Kirk Shimek Information Systems
Systems Engineer - UNIX Administrator
TRW Automotive Electronics
Body Control Systems
507-457-3750 ext.8241

" . . . for it is in one's speech, that the bent of one's mind is revealed."
Book of Sirach

More information about the samba-technical mailing list