[Samba] approximate net rpc vampire HOWTO, as promised

Ronan Waide waider at waider.ie
Thu Nov 28 10:38:01 GMT 2002


Hi Folks,

as promised, here's what I did to get net rpc vampire working. There's
a question at the bottom that someone might be able to answer for
me. If the detail below is sane, I'll tidy it up some and submit it as
a proper HOWTO. If not, please tell me where I'm being insane :)

======================================================================
Using 'net rpc vampire' to clone a PDC (user & machine accounts)

0. Caveats: this is samba 3 from CVS, NT4 Server as PDC, and Red Hat
   Linux 7.3 as my testbed.

1. Install Samba 3 from CVS
   I've installed it in /usr/local/samba-3, with the following options
   to configure:

./configure  --prefix=/usr/local/samba-3 --with-sam -with-tdbsam --with-smbmount --with-winbind
make
make install

2. Create netlogon directory and samba-related groups

mkdir -p /usr/local/samba-3/bdc/netlogon
groupadd machines
groupadd samba

3. Set up as a BDC. This is my basic smb.conf:
[global]
workgroup = YOURDOMAIN
security = domain
password server = *
encrypt passwords = yes

# Backend
passdb backend = tdbsam_nua
non unix account range = 1000-5000

sam backend = tdbsam_nua
domain logons = yes
add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false '%u'
add user script = /usr/sbin/adduser -n -g samba -c "Samba User" -d /dev/null -s /bin/false '%u'
add group script = /usr/sbin/groupadd '%g'
add user to group script = /usr/sbin/usermod -G `/usr/bin/id -G '%u' | /bin/sed 's/ /,/g'`,'%g' '%u'

[netlogon]
comment = Logon Server Share
path = /usr/local/samba-3/bdc/netlogon
read only = no

4. Join the domain
/usr/local/samba-3/bin/net rpc join -U Administrator%password -S YOURPDC

8. Start daemons
/usr/local/samba-3/sbin/nmbd
/usr/local/samba-3/sbin/smbd

(the NMBD log should tell you that you're now a logon server for YOURDOMAIN)

9. vampire
/usr/local/samba-3/bin/net rpc vampire -U Administrator%password -S YOURPDC

10. The following will fail due to excessive length (pah!):
Creating unix group: 'Account Operators'
groupadd: Account Operators is a not a valid group name

If you really need this group then you'll either have to:
* rename the group on the PDC
* Use a mangling program to do the groupadd stuff (see documentation -
  only requirement of said program is that it returns the ID of the
  group it's added)

11. You should now be able to switch off the PDC and support logins
    via the BDC. For completeness, add these PDC config items to your
    smb.conf and kick the daemons:

domain master = yes
local master = yes
preferred master = yes
os level = 64

    also, change 'security = domain' to 'security = user'.

    Otherwise, you can keep your Samba server as a BDC, although
    you'll need to set up a cron job to occasionally redo the net rpc
    vampire (and it will complain bitterly about existing accounts)

=================================================================================

Now, as I'd mentioned previously, I need to keep the PDC in the domain
because it's providing other services. This is proving to be a little
tricky. I've managed the following:

* Use the dubious registry hack to convert the PDC to a Workstation
  - this leaves me with a duplicate SID problem.
* Use NewSID from www.sysinternals.com to change the PDC's sysid
* Leave the domain (change to some random workgroup, reboot)

Obviously the final step here is to rejoin the domain, but I'm falling
foul of the fact that I've changed the SID (or something). When I try
to rejoin the domain (automatically created accounts using the above
config) I get the following error message:

'Unable to update local security in order to join domain'

I've done a web search on this, and while there are vague handwaving
explanations of what's happened, there's no actual solution
offerred. So if anyone can give me a pointer or two on this I'd
appreciate it.

Cheers,
Waider.
-- 
waider at waider.ie / Yes, it /is/ very personal of me.

Derrick says, "Well, there are altar girls there. But it's a sin to hit on
    jailbait in the house of the Lord."



More information about the samba mailing list