Changing Domains from NT4 / AD 2000

Andrew Bartlett abartlet at pcug.org.au
Thu Apr 12 13:18:40 GMT 2001 

Kirk Shimek wrote:
> 
> Thanks Don,
> 
> A follow on config question.  I understand the work around . . . how do I handle the fact that my users' NT account names are not the same as the UNIX account names?  i.e. NT uses shimekk / whereas UNIX uses kshimek, AND ALL the accounts already exist.  Does the user-name-map option work here.  I'm already using it.  But before I affect ~300 users, I would like to know the effects, if any.
> 
> Also, I suppose to make the change to security = server I need to modify the smb.conf file and shutdown and restart smbd and nmbd . . .correct.

You don't need to shutdown samba, sending the appropriate process a
simple -HUP signal should do the trick.

> 
> Again, thanks for the quick response.  You guys rock at SAMBA!
> 
> ¯---------------------------------------------------------------------
> Hi Kirk,
> Don't know if this is your problem or not, but when working with 2.0.7 on
> HP-UX 11.0, we found this irregularity (only for nt users that had been
> moved from
> an NT 4.0 domain to a Win2k Domain):
> **********************************
> When Windows users are migrated from Windows NT to Windows 2000
> domains, to maintain backward access permissions, the migration tools
> add whats called as SID history to the users accounts.
> When Samba server is used in domain authentication mode with migrated
> users the authentications fails.
> The problem is that due to the addition of old security ids (called as
> SIDHistory) to the user accounts, when Samba authenticates a user
> against a Windows 2000 server, if the user is authenticated properly,
> Win2k returns more information than what samba expects. Consequently
> Samba fails with buffer overflow error.
> 
> You should be able to determine if this is happening to you by turning up
> your
> log level and reproducing the failure, then looking thru the log file for a
> buffer overflow...
> 
> When a user is migrated from Windows NT to Windows 2000 running
> in native mode, Win2K preserves the users old SID information in
> a Win2K native attribute called SID History.
> When samba authenticates such a user successfully against the
> Windows 2000 server (giving rightusername and password), Windows
> 2K appends SID history to the response. Samba isn't ready (not coded)
> to handle the extra SID information returned by Win2K servers, so it fails.
> Work around is to use the the Samba in server security mode.
> 
> Kirk Shimek Information Systems
> Systems Engineer - UNIX Administrator
> TRW Automotive Electronics
> Body Control Systems
> 507-457-3750 ext.8241
> WINONA MN
> 
> " . . . for it is in one's speech, that the bent of one's mind is revealed."
> Book of Sirach

-- 
Andrew Bartlett
abartlet at pcug.org.au

More information about the samba-technical mailing list