[Samba] Samba PDC migration (was Three reasons for staying with Microsoft PDC's)

Tim Allen timallen at ls83.fsnet.co.uk
Sat Jul 20 09:45:02 GMT 2002 

Andrew

Firstly, thank you for responding so politely to my posting. I felt I needed
to get a dialog going to try to resolve these problems and thought a
slightly provocative subject header might get the ball rolling.


> > There appear to be significant hurdles to migrating from a Microsoft to
> > Samba PDC environment, something which I've been trying to do now for
many
> > months. The difficulties arise in moving user's accounts over to Samba
> >
> > 1. Local profiles. It does not seem to be possible to move from an NT4
PDC
> > to a Samba PDC while retaining local profiles. NT4/W2k machines consider
> > logons to the Samba PDC to be new users, even when the Samba machine SID
is
> > the same as the NT4 SID, and machine accounts have been ported over
using
> > pwdump2.
>
> Samba does not send back 'null' strings easily - if the passdb comes up
> with 'null' it uses the default.  Perhaps by setting 'logon path' etc to
> "" it might help.  Or it might not.

I've been using

logon path =

up to now. I can't remember whether I tried logon path = "" at some point
previously but will certainly check this tomorrow.

>
> > OK, so let's try....
> >
> > 2. Roaming profiles. Although these work correctly with NT4
workstations,
> > there remains an unresolved "Access Denied" problem on logons with W2k
> > machines, whether or not "nt acl support = no" is present in the
[profiles]
> > section of smb.conf. Various postings on the lists from people having
this
> > problem but no solutions.
>
> We will need a bit more detail to get anywhere on this.

Samba 2.2.5.

        logon path = \\%N\profiles\%u
        logon drive = I:
        logon home = \\%N\home

and

[profiles]
        comment = Profiles Store
        path = /usr/local/samba/profiles
        create mask = 0600
        directory mask = 0700
        nt acl support = No
        read only = no

Profile was originally exported from W2KSP2 machine (permissions set to
everyone). Downloads correctly to NT4 workstations but fails as described in
README.Win2kSP2. The fix described there is the nt acl support = no, but
this had no effect in our case and a number of postings to this list also
report this doesn't necessarily cure the problem. What would be useful
here - level 10 logs, tcpdump output?

>
> > OK, bite the bullet and have every user start from a blank profile...
> >
> > 3. This results in various apps on the workstations choking because they
now
> > can't find registry keys.
> >
> > OK, re-install Windows on every workstation and all the apps.
Alternatively
> > forget about any of this, just keep the NT4 PDC running and enjoy a
quiet
> > life.
>
> Samba's PDC support is not complete, and migration support is almost
> compleatly lacking.  This is a simple matter of devloper time.  Without
> a commercial backer for Samba's PDC support, it is left to those with
> free time to put at the issue.
>
> For Samba HEAD, thats mostly me ATM - and others when they get time.  We
> have new developers starting on PDC stuff, but it takes time, and this
> stuff is *complex*.
>
> (Samba's file and print code had the support of companies like Quantum
> and HP - and in particular their QA departments.  Never underestimate
> the power of a good QA department on a product).
>
> > I've trawled the lists over the last few months trying to find answers
to
> > this dilemma, as well as positing questions (back to last December)
> > specifically on 1, which for us is by far the simplest solution. No
> > responses, well not recently, and I don't know whether that's because
> >
> > a. The answer's blindingly obvious to everyone else.
> > b. Nobody does this kind of thing.
>
> Only Samba HEAD has even a start of a solution on the RID issue, so its
> really a matter of 'we havn't don't much here yet'.  I hope this stuff
> will improve.
>
> > c. Nobody has a solution.
> > d. It's impossible anyway.
>
> We are working on it - slowly. :-)

I know. There are a lot of people out here who are really appreciative of
all the effort and hard work you guys are putting into this. And I, like
many others, would like to do our little bit by providing useful feedback
and test data where we find problems.

Thanks again

Tim Allen

More information about the samba mailing list