[Samba] Re: Transfering Machine Accounts / MACHINE.SID
it at hcico.com
Fri Dec 26 20:10:05 GMT 2003
Andrew Bartlett writes:
> On Sat, 2003-12-20 at 05:53, Kevin Fries wrote:
>> Kevin Fries wrote:
>> > I have a Samba 2.2.7 PDC, and I am now trying to set up a new 3.0.1
>> > server. I want this machine to act as a BDC initially and replicate all
>> > the
>> > accounts over.
> Unfoutunetly, this is not a supported configuration, for live clients.
> If, while the 'BDC' is operational, a machine changes it's machine
> account password, then it is possible for it to be changed on the BDC,
> but not the PDC.
This is actually GOOD news. The goal was to rebuild my PDC. So I set up a
second machine with the newest version of Samba (I was going to upgrade
anyway) and configured it as a BDC. Now that it is actually working, I will
shut off the PDC and promote the BDC. So, if changes are made in the BDC
that are not on the BDC, no problem.
>> > When I followed the howto it said to use smbpasswd -S to
>> > transfer the machine SID and then to replicate the smbpasswd file to the
>> > new server. This has caused two major problems:
>> > 1) the smbpasswd command does not support the -S option
> In 3.0? That is because that option moved to 'net' as 'net getlocalsid'
> and 'net setlocalsid' (I think, read the BDC doco in the HOWTO).
Yea, I eventually found it. But this feature has changed so many times,
that every HOW-TO seems to have a different process. It took a week after
my original message to find a process that worked. For the record, I used
the getlocalsid on the old PDC to print it out. Then in a separate terminal
window, I issued a net setlocalsid on the new 3.0 BDC, used copy and paste
between the windows, and all seems as it should.
>> > 2) My user accounts transfered to the new machine, but not the machine
>> > trust accounts.
>> OK, found this one. I forgot to move the posix accounts over to the new
>> machines and Samba silently ignored the accounts. pdbedit on the other
>> hand screamed bloody murder. Added PosixAccount to my machine entries in
>> the new LDAP server, and Samba 3 found them thanks to nss_ldap.
>> However, I still do not have a MACHINE.SID file because the smbpasswd
>> command does not work as advertised. Is it OK to just copy that file from
>> the old machine?
> If you don't have a secrets.tdb, then we will read that file on startup.
> Andrew Bartlett
> Andrew Bartlett abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team abartlet at samba.org
> Student Network Administrator, Hawker College abartlet at hawkerc.net
> http://samba.org http://build.samba.org http://hawkerc.net
One additional thing I noticed in transfering my accounts I thought I would
mention. Its annoying, but easy to fix.
My goal is to rebuild my PDC as I mentioned earlier. I stated in another
thread my plan was to create a 3.0.1 BDC; tranfer the accounts; transfer the
shares; then, move the user and system accounts into LDAP. Once the PDC is
rebuild and I need to transfer control back, It should be simple to move the
LDAP first, point the new Samba to the new primary LDAP, and demote the
temporary PDC back down to BDC.
When I transferred the accounts from smbpassword to LDAP, the transition
tools did a really stupid thing. I have my accounts in LDAP under common
name not username. So an LDIF entry starts like:
dn: cn=Joe user,dc=hcico,dc=com
cn: Joe User
When Samba transferred the accounts to LDAP, it created a second entry in
the address book like so:
cn: Joe User
In the translation, the script needs to look to see if the record already
exists. This should be fairly simple if you set the filter to "uid=%L" to
see if any entry already claims that login.
I manually went in a combined the two entries into one. Not a difficult
task, but quite high on the annoyance scale.
Just an FYI
More information about the samba