[Samba] is it possible to migrate to samba and keep existing SIDs?
Micha Niskin
mnisk001 at cs.fiu.edu
Wed Aug 27 15:54:35 GMT 2003
John H Terpstra wrote:
>On Mon, 25 Aug 2003, Micha Niskin wrote:
>
>
>
>>Hello,
>>
>>I am using smaba-3.0beta3 on linux (RedHat 7.3). I noticed that 'net rpc
>>vampire' does not retrieve the existing SIDs from the domain PDC, rather
>>it creates new ones. This is a problem if users have files saved locally
>>on their NT workstations, as the SIDs won't match after the migration to
>>samba PDC. Is there a way to migrate from an NT PDC to a samba one and
>>still maintain the users SIDs? Thanks!
>>
>>
>
>Did you follow the information outlined in the chapter "NT4 Migration to
>Samba-3" in the Samba-HOWTO-Collection.pdf that ships with Samba-3?
>
>If not, what precisely did you do to migrate your user accounts to
>Samba-3.0.0?
>
>PS: The documentation has holes that will be fixed before samba-3 is
>reeleased.
>
>- John T.
>
>
Thank you for your response! Yes, I followed the instructions in the
howto that came with samba 3.0rc1. Here is the smb.conf file I am using
for BDC mode:
;
; smb.conf - samba configuration file
;
[global]
netbios name = rustbucket
workgroup = TNG-PDC-TEST1
;os level = 99
domain master = no
domain logons = yes
local master = yes
preferred master = yes
security = user
encrypt passwords = yes
smb passwd file = /var/samba/smbpasswd
;password server = *
admin users = @root
add group script = /local/adm/accounts/scripts/smbgroupadd.sh "%g"
add user script = /local/adm/accounts/scripts/smbuseradd.sh "%u"
add machine script = /usr/sbin/adduser -n -g machines -c Machine
-d /dev/null -s /bin/false "%u"
logon home = /local/adm/accounts/home
logon path = /local/adm/accounts/profile
logon drive = U
; necessary share for domain controller
[netlogon]
;put the login script in this directory
path = /local/adm/accounts/tng-netlogon
read only = yes
write list = root
[MYSHARE]
path = /local/adm/accounts/myshare
read only = no
;write list = root
I added the samba machine to the NT network as a BDC in the server
manager of the NT PDC (samba not running). I did "net rpc join" followed
by "net rpc testjoin". A-OK so far. Then I tried to get the account info
from the PDC with "net rpc vampire", and here's the output of that command:
[root at rustbucket root]# net rpc vampire
Fetching DOMAIN database
SAM_DELTA_DOMAIN_INFO not handled
Creating unix group: 'Domain Users'
Creating account: Administrator
10014
[2003/08/27 07:25:28, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
fetch_account: Running the command
`/local/adm/accounts/scripts/smbuseradd.sh "Administrator"' gave 0
Creating account: Guest
10015
[2003/08/27 07:25:28, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
fetch_account: Running the command
`/local/adm/accounts/scripts/smbuseradd.sh "Guest"' gave 0
Creating account: GROUPER$
[2003/08/27 07:25:28, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
fetch_account: Running the command `/usr/sbin/adduser -n -g
machines -c Machine -d /dev/null -s /bin/false "GROUPER$"' gave 0
[2003/08/27 07:25:28, 0]
passdb/pdb_smbpasswd.c:smbpasswd_update_sam_account(1415)
smbpasswd_update_sam_account: mod_smbfilepwd_entry failed!
[2003/08/27 07:25:28, 1] utils/net_rpc_samsync.c:fetch_account_info(475)
SAM Account for GROUPER$ failed to be updated in the passdb!
Creating account: WIN2KCLIENT$
[2003/08/27 07:25:29, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
fetch_account: Running the command `/usr/sbin/adduser -n -g
machines -c Machine -d /dev/null -s /bin/false "WIN2KCLIENT$"' gave 0
Creating account: user1
10018
[2003/08/27 07:25:29, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
fetch_account: Running the command
`/local/adm/accounts/scripts/smbuseradd.sh "user1"' gave 0
Creating account: user2
10019
[2003/08/27 07:25:29, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
fetch_account: Running the command
`/local/adm/accounts/scripts/smbuseradd.sh "user2"' gave 0
[2003/08/27 07:25:29, 0] passdb/pdb_smbpasswd.c:build_smb_pass(1129)
build_sam_pass: Failing attempt to store user with non-uid based user RID.
[2003/08/27 07:25:29, 1] utils/net_rpc_samsync.c:fetch_account_info(466)
SAM Account for user2 failed to be added to the passdb!
Creating account: user3
10020
[2003/08/27 07:25:30, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
fetch_account: Running the command
`/local/adm/accounts/scripts/smbuseradd.sh "user3"' gave 0
Creating account: dadmin
10021
[2003/08/27 07:25:30, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
fetch_account: Running the command
`/local/adm/accounts/scripts/smbuseradd.sh "dadmin"' gave 0
Creating account: XPCL$
[2003/08/27 07:25:30, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
fetch_account: Running the command `/usr/sbin/adduser -n -g
machines -c Machine -d /dev/null -s /bin/false "XPCL$"' gave 0
Creating account: RUSTBUCKET$
[2003/08/27 07:25:31, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
fetch_account: Running the command `/usr/sbin/adduser -n -g
machines -c Machine -d /dev/null -s /bin/false "RUSTBUCKET$"' gave 0
Group members of root: Administrator,dadmin,
[2003/08/27 07:25:31, 1] utils/net_rpc_samsync.c:fetch_group_mem_info(615)
Found bogus group member: 1055
(member_sid=S-1-5-21-1343692548-746159144-1190612905-1055 group=Domain
Users)
Group members of Domain Users:
Administrator,Guest,WIN2KCLIENT$,user1,user3,XPCL$,dadmin,RUSTBUCKET$,
Group members of nobody: nobody(primary),
Fetching BUILTIN database
[2003/08/27 07:25:31, 0] rpc_client/cli_pipe.c:rpc_api_pipe_req(1025)
SCHANNEL ERROR: seq_num must be even in client (seq_num=3)
SAM_DELTA_DOMAIN_INFO not handled
Creating unix group: 'Print Operators'
Creating unix group: 'Server Operators'
Creating unix group: 'Users'
As you can see, some of the users were not collected properly. I looked
into the source a little and it looks like the SAM_DELTA_DOMAIN_INFO is
not implemented yet, so I assume that it's not needed to grab the SIDs.
Also, I used a script like the one described in the groupmapping howto
to create the new users and groups (it returns the UID/GID on stdout).
If I don't use these scripts I get weird errors like "Can't add user
with non-uid rid" and things like that.
More information about the samba
mailing list