[Samba] Samba As BDC

Irving Carrion icarrion at allinterior.com
Tue Jul 23 06:45:03 GMT 2002

Did the samba mailing list go down yesterday between 10am - 5pm eastern?  

Anyway, plz forgive me for the 3 messages I sent at once....  

I think I'll have to re-create these accounts in SAMBA.  Screw it!!!  
I may just learn a thing or too!

Thanks for the reply!

-----Original Message-----
From: Goetz Rieger [mailto:goetz.rieger at suse.de] 
Sent: Tuesday, July 23, 2002 8:21 AM
To: Irving Carrion
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba As BDC


On Mon, 22 Jul 2002 11:41:39 -0400
Irving Carrion <icarrion at allinterior.com> wrote:

> I'm trying to replace an existing NT4.0 domain controller with the
> latest version of samba.  My concern is that I would have to re-create
> all the users on the samba machine, change the domain name (From
> NT-Domain to SAMBA-Domain) on each Windows 2000 workstation, and
> re-configure every users email, settings etc....(We have about 500 users
> with only 2 Admins.)

you are talking about a very sensitive topic...take a look at the postings
between T.Allen and A.Bartlett (around 02/07/20).

> Is there a way to add a SAMBA BDC to an existing NT Domain, 

To my knowledge, no.

> have all user names / passwords transferred to the SAMBA BDC, and then
> promote the Samba BDC to a PDC, throw away the NT PDC, and standardize
> on SAMBA Domain Controllers?  


We just migrated a NT4.0 PDC to samba and it gave us a considerable amount
of pain. You can dump the user/passwords with pwdump and you can extract
the group memberships with rpcclient, at least we did. 

You can fetch the Domain SID and give it to the samba PDC. But you will
run into trouble with the user RID migration, because Samba calculates the
RID out of the Linux UID. So there is no clean way to get the same user
SID from Samba as the user had before on the NT PDC. And not to mention
the trust account passwords...mymy.

I have heard the only reasonable painless way for a migration is Samba
with the LDAP backend, so that you are able to massage the RIDs and trust
account passwords into the directory. But a really transparent NT-Samba
migration is another story.


More information about the samba mailing list