[Samba] Re: Transfering Machine Accounts / MACHINE.SID

Information Technology it at hcico.com
Fri Dec 26 20:10:05 GMT 2003

Andrew Bartlett writes: 

> On Sat, 2003-12-20 at 05:53, Kevin Fries wrote:
>> Kevin Fries wrote: 
>> > I have a Samba 2.2.7 PDC, and I am now trying to set up a new 3.0.1
>> > server. I want this machine to act as a BDC initially and replicate all
>> > the
>> > accounts over.  
> Unfoutunetly, this is not a supported configuration, for live clients. 
> If, while the 'BDC' is operational, a machine changes it's machine
> account password, then it is possible for it to be changed on the BDC,
> but not the PDC.  

This is actually GOOD news.  The goal was to rebuild my PDC.  So I set up a 
second machine with the newest version of Samba (I was going to upgrade 
anyway) and configured it as a BDC.  Now that it is actually working, I will 
shut off the PDC and promote the BDC.  So, if changes are made in the BDC 
that are not on the BDC, no problem. 

>> > When I followed the howto it said to use smbpasswd -S to
>> > transfer the machine SID and then to replicate the smbpasswd file to the
>> > new server.  This has caused two major problems:
>> > 
>> >   1) the smbpasswd command does not support the -S option
> In 3.0? That is because that option moved to 'net' as 'net getlocalsid'
> and 'net setlocalsid' (I think, read the BDC doco in the HOWTO).

Yea, I eventually found it.  But this feature has changed so many times, 
that every HOW-TO seems to have a different process.  It took a week after 
my original message to find a process that worked.  For the record, I used 
the getlocalsid on the old PDC to print it out.  Then in a separate terminal 
window, I issued a net setlocalsid on the new 3.0 BDC, used copy and paste 
between the windows, and all seems as it should. 

>> >   2) My user accounts transfered to the new machine, but not the machine
>> >      trust accounts. 
>> OK, found this one.  I forgot to move the posix accounts over to the new
>> machines and Samba silently ignored the accounts.  pdbedit on the other
>> hand screamed bloody murder.  Added PosixAccount to my machine entries in
>> the new LDAP server, and Samba 3 found them thanks to nss_ldap. 
>> However, I still do not have a MACHINE.SID file because the smbpasswd
>> command does not work as advertised.  Is it OK to just copy that file from
>> the old machine?
> If you don't have a secrets.tdb, then we will read that file on startup. 
> Andrew Bartlett 
> -- 
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net

One additional thing I noticed in transfering my accounts I thought I would 
mention.  Its annoying, but easy to fix. 

My goal is to rebuild my PDC as I mentioned earlier.  I stated in another 
thread my plan was to create a 3.0.1 BDC; tranfer the accounts; transfer the 
shares; then, move the user and system accounts into LDAP.  Once the PDC is 
rebuild and I need to transfer control back, It should be simple to move the 
LDAP first, point the new Samba to the new primary LDAP, and demote the 
temporary PDC back down to BDC. 

When I transferred the accounts from smbpassword to LDAP, the transition 
tools did a really stupid thing.  I have my accounts in LDAP under common 
name not username.  So an LDIF entry starts like: 

dn: cn=Joe user,dc=hcico,dc=com
cn: Joe User
sn: User
givenName: Joe
uid: juser

When Samba transferred the accounts to LDAP, it created a second entry in 
the address book like so: 

dn: uid=juser,dc=hcico,dc=com
cn: Joe User
sn: User
givenName: Joe
uid: juser 

In the translation, the script needs to look to see if the record already 
exists.  This should be fairly simple if you set the filter to "uid=%L" to 
see if any entry already claims that login. 

I manually went in a combined the two entries into one.  Not a difficult 
task, but quite high on the annoyance scale. 

Just an FYI
Kevin Fries 

More information about the samba mailing list