[Samba] Re: Transfering Machine Accounts / MACHINE.SID

Andrew Bartlett abartlet at samba.org
Fri Dec 26 22:41:37 GMT 2003 

On Sat, 2003-12-27 at 07:10, Information Technology wrote:
> Andrew Bartlett writes: 
> 
> > On Sat, 2003-12-20 at 05:53, Kevin Fries wrote:
> >> Kevin Fries wrote: 
> >> 
> >> > I have a Samba 2.2.7 PDC, and I am now trying to set up a new 3.0.1
> >> > server. I want this machine to act as a BDC initially and replicate all
> >> > the
> >> > accounts over.  
> > 
> > Unfoutunetly, this is not a supported configuration, for live clients. 
> > If, while the 'BDC' is operational, a machine changes it's machine
> > account password, then it is possible for it to be changed on the BDC,
> > but not the PDC.  
> 
> This is actually GOOD news.  The goal was to rebuild my PDC.  So I set up a 
> second machine with the newest version of Samba (I was going to upgrade 
> anyway) and configured it as a BDC.  Now that it is actually working, I will 
> shut off the PDC and promote the BDC.  So, if changes are made in the BDC 
> that are not on the BDC, no problem. 

As long as no other changes were made to the PDC.  Basically, unless you
have a properly replicating LDAP setup, you can only have one Samba DC
live at any one time. 

> > 
> >> > When I followed the howto it said to use smbpasswd -S to
> >> > transfer the machine SID and then to replicate the smbpasswd file to the
> >> > new server.  This has caused two major problems:
> >> > 
> >> >   1) the smbpasswd command does not support the -S option
> > 
> > In 3.0? That is because that option moved to 'net' as 'net getlocalsid'
> > and 'net setlocalsid' (I think, read the BDC doco in the HOWTO).
> 
> Yea, I eventually found it.  But this feature has changed so many times, 
> that every HOW-TO seems to have a different process.  It took a week after 
> my original message to find a process that worked.  For the record, I used 
> the getlocalsid on the old PDC to print it out.  Then in a separate terminal 
> window, I issued a net setlocalsid on the new 3.0 BDC, used copy and paste 
> between the windows, and all seems as it should. 
> 
> > 
> >> >   2) My user accounts transfered to the new machine, but not the machine
> >> >      trust accounts. 
> >> 
> >> OK, found this one.  I forgot to move the posix accounts over to the new
> >> machines and Samba silently ignored the accounts.  pdbedit on the other
> >> hand screamed bloody murder.  Added PosixAccount to my machine entries in
> >> the new LDAP server, and Samba 3 found them thanks to nss_ldap. 
> >> 
> >> However, I still do not have a MACHINE.SID file because the smbpasswd
> >> command does not work as advertised.  Is it OK to just copy that file from
> >> the old machine?
> > 
> > If you don't have a secrets.tdb, then we will read that file on startup. 
> > 
> > Andrew Bartlett 
> > 
> > -- 
> > Andrew Bartlett                                 abartlet at pcug.org.au
> > Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> > Student Network Administrator, Hawker College   abartlet at hawkerc.net
> > http://samba.org     http://build.samba.org     http://hawkerc.net
> 
> One additional thing I noticed in transfering my accounts I thought I would 
> mention.  Its annoying, but easy to fix. 
> 
> My goal is to rebuild my PDC as I mentioned earlier.  I stated in another 
> thread my plan was to create a 3.0.1 BDC; tranfer the accounts; transfer the 
> shares; then, move the user and system accounts into LDAP.  Once the PDC is 
> rebuild and I need to transfer control back, It should be simple to move the 
> LDAP first, point the new Samba to the new primary LDAP, and demote the 
> temporary PDC back down to BDC. 

And to make it a real BDC, setup an LDAP slave.

> When I transferred the accounts from smbpassword to LDAP, the transition 
> tools did a really stupid thing.  I have my accounts in LDAP under common 
> name not username.  So an LDIF entry starts like: 

You used pdbedit -i smbpasswd -e ldapsam for this?  I know our passdb
tools always do the search first.

> dn: cn=Joe user,dc=hcico,dc=com
> cn: Joe User
> sn: User
> givenName: Joe
> uid: juser
> <etc> 
> 
> When Samba transferred the accounts to LDAP, it created a second entry in 
> the address book like so: 
> 
> dn: uid=juser,dc=hcico,dc=com
> cn: Joe User
> sn: User
> givenName: Joe
> uid: juser 
> 
> In the translation, the script needs to look to see if the record already 
> exists.  This should be fairly simple if you set the filter to "uid=%L" to 
> see if any entry already claims that login. 
> 
> I manually went in a combined the two entries into one.  Not a difficult 
> task, but quite high on the annoyance scale. 

File a bug :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20031227/e1257d87/attachment.bin

More information about the samba mailing list