Replacing NT4 PDC with Samba 2.2.2

David Kadlec david.kadlec at unicorn.cz
Thu Dec 20 06:35:15 GMT 2001


SID stands for Security IDentifier - its number by which users, groups and
machines (and maybe onother things) are
identified by Windows security services. It is a single namespace for all
the objects. For simplicity we can say SIDs are in format
S-1-5-21-XXXX-YYYY-ZZZZ-AAAA (why, how... see the link down in the mail).
Yes, these are the numbers you can see in Rcycle Bin folder :-)

S-1-5-21-XXXX-YYYY-ZZZZ part is SID of domain - its generated randomly with
PDC instalation. Also every workstation has
its own SID - for local accounts on that workstation. Domain accounts,
groups and machine accounts then have their SIDs made from SID of domain and
their RID (Relative ID). So user administrator from domain
S-1-5-21-XXXX-YYYY-ZZZZ with RID 500 has SID S-1-5-21-XXXX-YYYY-ZZZZ-500.
RID is something like UIDs in Unix.

And here is the point. Linux and Unixes has separate namespace for groups
and users - you can have UID 100 and GID 100. Windows has only one namespace
for all accounts and groups. So there must function for mapping UIDs and
GIDs to RIDs
- and the function is RID=UID*2+1000 and RID=UID*2+1001 for groups. As you
can see - group accounts are odd, user accounts are even RIDs.

So, there are users in Windows domain which cannot have UID in Samba domain
that will map to the same RID. User with RID 3000 is OK - if you create
him/her on Samba with UID 500, he will have same RID. But you are unable to
create user with RID 3001.

Defiinitely, migration Windows -> Samba cannot be done by just throwing out
the old PDC *sniff* But with some effort, you
can migrate user passwords to new Smaba domain and relink profiles on
workstations to the new accountw.

David Kadlec

----- Original Message -----
From: "Tim Allen" <timallen at ls82.fsnet.co.uk>
To: <samba at lists.samba.org>
Sent: Thursday, December 20, 2001 9:36 AM
Subject: Re: Replacing NT4 PDC with Samba 2.2.2


> I found this:
>
> http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html
>
> by Jeremy which talks about SID's and RID's. I'm going to read through it
in
> the next couple of days and see whether it throws any light on how to do
> this. It's pretty old though, Samba 2.0 vintage.
>
> This does seem like an area which could really do with some airing on the
> lists. I'd have thought it would be a very common requirement.
>
> Tim Allen
>
> ----- Original Message -----
> From: "rebelman" <rebel at snafu.de>
> To: "David Kadlec" <david.kadlec at unicorn.cz>; <samba at lists.samba.org>
> Sent: Wednesday, December 19, 2001 7:46 PM
> Subject: Re: Replacing NT4 PDC with Samba 2.2.2
>
>
> > Hi David and Allen,
> > i try the same. replacing a win2000K PDC with samba. I faild for a week
> now.
> > but there seem to be authentification errors. I use encrypted passwords,
> set
> > up named and machine accounts in passwd, shado and smbpasswd etc. but it
> > doesn't work.
> > But until now I never heard of a SID or RID. What is this SID ?
> > I have to say, that I never administered a win network. ;-)
> > - FRankie
> > ***************************************************
> > Und Linux sagte: You don't exist! Go away!
> > ----- Original Message -----
> > From: David Kadlec <david.kadlec at unicorn.cz>
> > To: <samba at samba.org>
> > Sent: Wednesday, December 19, 2001 12:55 PM
> > Subject: Re: Replacing NT4 PDC with Samba 2.2.2
> >
> >
> > > Hello,
> > >
> > > we went through same scenario few days ago. The problem is with SID
> > > creation - Samba does not make user's
> > > SID as domainSID-userUID as you can maybe think. Instead it does it
like
> > > domainSID-(UID*2+1000). So they
> > > have different SID on NT and Samba domain. You can construct UIDs of
> user
> > > from their RID with reverse prodedure
> > > (UID=(RID-1000) /2 ), but if you have some with odd RID, you dont have
a
> > > chance.
> > >
> > > David Kadlec
> > >
> > > ----- Original Message -----
> > > From: "Tim Allen" <timallen at ls82.fsnet.co.uk>
> > > To: <samba at lists.samba.org>
> > > Sent: Wednesday, December 19, 2001 8:58 AM
> > > Subject: Replacing NT4 PDC with Samba 2.2.2
> > >
> > >
> > > > Hi
> > > >
> > > > Haven't seen any responses to my earlier post (Transferring PDC
duties
> > to
> > > > Samba) so here's a slightly different approach I'm trying which
> someone
> > > can
> > > > hopefully shed some light on.
> > > >
> > > > Is it possible to transfer domain-specific data from an NT4 PDC to a
> > Samba
> > > > 2.2.2 server, switch off the NT4 machine, set up smb.conf, switch on
> the
> > > > Samba box such that the attached NT4/Win2000 workstations are
> blissfully
> > > > unaware that the PDC has changed? In other words, doing the
equivalent
> > of
> > > > setting up Samba as a BDC then promoting it to PDC, albeit manually.
> > > >
> > > > So far, I've done the following:
> > > >
> > > > Extracted the workstation machine accounts from the NT4 server using
> > > pwdump
> > > > and inserted into smbpasswd.
> > > > Made the corresponding additions to /etc/passwd and etc/shadow.
> > > > Extracted the NT4 SID and inserted into MACHINE.SID.
> > > > Specified the netbios name to be that of the NT4 server in smb.conf.
> > > >
> > > >
> > > > Doing the above does allow a login from one of the workstations, but
> the
> > > > workstation considers this to be a new user, which is exactly what
I'm
> > > > trying to avoid, as the local profiles for each user are then lost.
A
> > log
> > > > error message is also generated at login:
> > > >
> > > > Dec 18 16:19:28 golux smbd[15238]: [2001/12/18 16:19:28,
> > > > 0]rpc_server/srv_netlog.c:api_net_sam_logon(208)
> > > > Dec 18 16:19:28 golux smbd[15238]:   api_net_sam_logon: Failed to
> > marshall
> > > > NET_R_SAM_LOGON.
> > > > Dec 18 16:19:28 golux smbd[15238]: [2001/12/18 16:19:28, 0]
> > > > rpc_server/srv_pipe.c:api_rpcTNP(1204)
> > > > Dec 18 16:19:28 golux smbd[15238]:   api_rpcTNP: api_netlog_rpc:
> > > > NET_SAMLOGON failed.
> > > >
> > > > Any advice much appreciated.
> > > >
> > > > Tim Allen
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>





More information about the samba mailing list