[Samba] is it possible to migrate to samba and keep existing SIDs?

Micha Niskin mnisk001 at cs.fiu.edu
Wed Aug 27 15:54:35 GMT 2003 

John H Terpstra wrote:

>On Mon, 25 Aug 2003, Micha Niskin wrote:
>
>  
>
>>Hello,
>>
>>I am using smaba-3.0beta3 on linux (RedHat 7.3). I noticed that 'net rpc
>>vampire' does not retrieve the existing SIDs from the domain PDC, rather
>>it creates new ones. This is a problem if users have files saved locally
>>on their NT workstations, as the SIDs won't match after the migration to
>>samba PDC. Is there a way to migrate from an NT PDC to a samba one and
>>still maintain the users SIDs? Thanks!
>>    
>>
>
>Did you follow the information outlined in the chapter "NT4 Migration to
>Samba-3" in the Samba-HOWTO-Collection.pdf that ships with Samba-3?
>
>If not, what precisely did you do to migrate your user accounts to
>Samba-3.0.0?
>
>PS: The documentation has holes that will be fixed before samba-3 is
>reeleased.
>
>- John T.
>  
>
Thank you for your response! Yes, I followed the instructions in the 
howto that came with samba 3.0rc1. Here is the smb.conf file I am using 
for BDC mode:

;
; smb.conf - samba configuration file
;
[global]
   netbios name  = rustbucket
   workgroup     = TNG-PDC-TEST1

   ;os level         = 99
   domain master    = no
   domain logons    = yes
   local master     = yes
   preferred master = yes

   security = user
   encrypt passwords = yes
   smb passwd file = /var/samba/smbpasswd
   ;password server = *

   admin users = @root

   add group script = /local/adm/accounts/scripts/smbgroupadd.sh "%g"
   add user script = /local/adm/accounts/scripts/smbuseradd.sh "%u"
   add machine script = /usr/sbin/adduser  -n -g  machines  -c Machine 
-d /dev/null -s /bin/false "%u"

   logon home = /local/adm/accounts/home
   logon path = /local/adm/accounts/profile
   logon drive = U

; necessary share for domain controller
[netlogon]
    ;put the login script in this directory
    path       = /local/adm/accounts/tng-netlogon
    read only  = yes
    write list = root

[MYSHARE]
   path        = /local/adm/accounts/myshare
   read only   = no
   ;write list  = root



I added the samba machine to the NT network as a BDC in the server 
manager of the NT PDC (samba not running). I did "net rpc join" followed 
by "net rpc testjoin". A-OK so far. Then I tried to get the account info 
from the PDC with "net rpc vampire", and here's the output of that command:

[root at rustbucket root]# net rpc vampire
Fetching DOMAIN database
SAM_DELTA_DOMAIN_INFO not handled
Creating unix group: 'Domain Users'
Creating account: Administrator
10014
[2003/08/27 07:25:28, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
  fetch_account: Running the command 
`/local/adm/accounts/scripts/smbuseradd.sh "Administrator"' gave 0
Creating account: Guest
10015
[2003/08/27 07:25:28, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
  fetch_account: Running the command 
`/local/adm/accounts/scripts/smbuseradd.sh "Guest"' gave 0
Creating account: GROUPER$
[2003/08/27 07:25:28, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
  fetch_account: Running the command `/usr/sbin/adduser  -n -g  
machines  -c Machine -d /dev/null -s /bin/false "GROUPER$"' gave 0
[2003/08/27 07:25:28, 0] 
passdb/pdb_smbpasswd.c:smbpasswd_update_sam_account(1415)
  smbpasswd_update_sam_account: mod_smbfilepwd_entry failed!
[2003/08/27 07:25:28, 1] utils/net_rpc_samsync.c:fetch_account_info(475)
  SAM Account for GROUPER$ failed to be updated in the passdb!
Creating account: WIN2KCLIENT$
[2003/08/27 07:25:29, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
  fetch_account: Running the command `/usr/sbin/adduser  -n -g  
machines  -c Machine -d /dev/null -s /bin/false "WIN2KCLIENT$"' gave 0
Creating account: user1
10018
[2003/08/27 07:25:29, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
  fetch_account: Running the command 
`/local/adm/accounts/scripts/smbuseradd.sh "user1"' gave 0
Creating account: user2
10019
[2003/08/27 07:25:29, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
  fetch_account: Running the command 
`/local/adm/accounts/scripts/smbuseradd.sh "user2"' gave 0
[2003/08/27 07:25:29, 0] passdb/pdb_smbpasswd.c:build_smb_pass(1129)
  build_sam_pass: Failing attempt to store user with non-uid based user RID.
[2003/08/27 07:25:29, 1] utils/net_rpc_samsync.c:fetch_account_info(466)
  SAM Account for user2 failed to be added to the passdb!
Creating account: user3
10020
[2003/08/27 07:25:30, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
  fetch_account: Running the command 
`/local/adm/accounts/scripts/smbuseradd.sh "user3"' gave 0
Creating account: dadmin
10021
[2003/08/27 07:25:30, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
  fetch_account: Running the command 
`/local/adm/accounts/scripts/smbuseradd.sh "dadmin"' gave 0
Creating account: XPCL$
[2003/08/27 07:25:30, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
  fetch_account: Running the command `/usr/sbin/adduser  -n -g  
machines  -c Machine -d /dev/null -s /bin/false "XPCL$"' gave 0
Creating account: RUSTBUCKET$
[2003/08/27 07:25:31, 1] utils/net_rpc_samsync.c:fetch_account_info(440)
  fetch_account: Running the command `/usr/sbin/adduser  -n -g  
machines  -c Machine -d /dev/null -s /bin/false "RUSTBUCKET$"' gave 0
Group members of root: Administrator,dadmin,
[2003/08/27 07:25:31, 1] utils/net_rpc_samsync.c:fetch_group_mem_info(615)
  Found bogus group member: 1055 
(member_sid=S-1-5-21-1343692548-746159144-1190612905-1055 group=Domain 
Users)
Group members of Domain Users: 
Administrator,Guest,WIN2KCLIENT$,user1,user3,XPCL$,dadmin,RUSTBUCKET$,
Group members of nobody: nobody(primary),
Fetching BUILTIN database
[2003/08/27 07:25:31, 0] rpc_client/cli_pipe.c:rpc_api_pipe_req(1025)
  SCHANNEL ERROR: seq_num must be even in client (seq_num=3)
SAM_DELTA_DOMAIN_INFO not handled
Creating unix group: 'Print Operators'
Creating unix group: 'Server Operators'
Creating unix group: 'Users'

As you can see, some of the users were not collected properly. I looked 
into the source a little and it looks like the SAM_DELTA_DOMAIN_INFO is 
not implemented yet, so I assume that it's not needed to grab the SIDs. 
Also, I used a script like the one described in the groupmapping howto 
to create the new users and groups (it returns the UID/GID on stdout). 
If I don't use these scripts I get weird errors like "Can't add user 
with non-uid rid" and things like that.

More information about the samba mailing list