[Samba] PDC Functions

[Scott Phelps]

On Fri, 2003-08-08 at 10:41, Mike Miller wrote:
> What I'm attempting to do is get services for unix working on a win2k box, 
> running off of a samba PDC.   I am having great difficulty doing so.  I have 
> added a trust relationship and added the 2k server into the domain.  I then 
> try and change ownership to anyone in the domain without luck.  It always 
> gives me that the Sid Lookup Failed.  Microsoft said the following and 
> basically told me to use an NT/2k PDC.  I completely trust the machine in 
> every way, so I'm not too worried about security of the machine, however I 
> want it to work on these RPC calls to get the SIDs.  For some reason, it 
> doesn't seem to be giving me any SIDs.  Any ideas?

A couple of things:
1. All shared files must have the same UID/GID mappings. NFS handles
permissions by UID/GID, so if you are getting our UID/GID information
from an LDAP server this is not a problem. All information is always
consistent. 

2. Since SIDs of domain accounts (users, groups, or computers) include a
SID assigned to the domain in which they are created, your SMB Server
will need the users RID and domain SID in order for the clients to 
access volumes.  

Heres why: 
The <MACHINE SID> along with the <DOMAIN SID> is used during the
challenge-auth stage to determine if the machine can access the domain. 
After that the domain  SID is concatenated with the RID of the account
to create the account's unique identifier.

Conclusion,
As long as you clone the Domain SID, User RID, and NT/LM Hashed Password
you should be good to go.

PS.  I don't know if you are using Samba 2.2 or Samba 3, but remember,
Samba 3 [is] still beta.  I haven't see *not one* post from anybody to
successfully and seamlessly migrate a NT PDC to a Samba 3 PDC.

However, I can say that I have done this with 2.2.8a nd LDAP completely
and flawlessly.  ;-)

Hope this helps.

--
Scott