[Samba] Three reasons for staying with Microsoft PDC's

Andrew Bartlett abartlet at samba.org
Sat Jul 20 07:38:02 GMT 2002

Tim Allen wrote:
> There appear to be significant hurdles to migrating from a Microsoft to
> Samba PDC environment, something which I've been trying to do now for many
> months. The difficulties arise in moving user's accounts over to Samba
> 1. Local profiles. It does not seem to be possible to move from an NT4 PDC
> to a Samba PDC while retaining local profiles. NT4/W2k machines consider
> logons to the Samba PDC to be new users, even when the Samba machine SID is
> the same as the NT4 SID, and machine accounts have been ported over using
> pwdump2.

Samba does not send back 'null' strings easily - if the passdb comes up
with 'null' it uses the default.  Perhaps by setting 'logon path' etc to
"" it might help.  Or it might not.

> OK, so let's try....
> 2. Roaming profiles. Although these work correctly with NT4 workstations,
> there remains an unresolved "Access Denied" problem on logons with W2k
> machines, whether or not "nt acl support = no" is present in the [profiles]
> section of smb.conf. Various postings on the lists from people having this
> problem but no solutions.

We will need a bit more detail to get anywhere on this.  

> OK, bite the bullet and have every user start from a blank profile...
> 3. This results in various apps on the workstations choking because they now
> can't find registry keys.
> OK, re-install Windows on every workstation and all the apps. Alternatively
> forget about any of this, just keep the NT4 PDC running and enjoy a quiet
> life.

Samba's PDC support is not complete, and migration support is almost
compleatly lacking.  This is a simple matter of devloper time.  Without
a commercial backer for Samba's PDC support, it is left to those with
free time to put at the issue.

For Samba HEAD, thats mostly me ATM - and others when they get time.  We
have new developers starting on PDC stuff, but it takes time, and this
stuff is *complex*.

(Samba's file and print code had the support of companies like Quantum
and HP - and in particular their QA departments.  Never underestimate
the power of a good QA department on a product).

> I've trawled the lists over the last few months trying to find answers to
> this dilemma, as well as positing questions (back to last December)
> specifically on 1, which for us is by far the simplest solution. No
> responses, well not recently, and I don't know whether that's because
> a. The answer's blindingly obvious to everyone else.
> b. Nobody does this kind of thing.

Only Samba HEAD has even a start of a solution on the RID issue, so its
really a matter of 'we havn't don't much here yet'.  I hope this stuff
will improve.

> c. Nobody has a solution.
> d. It's impossible anyway.

We are working on it - slowly. :-)

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list