[Samba] Creation of Domain- and PDC-SID in samba
John H Terpstra
jht at samba.org
Sun Dec 28 22:24:18 GMT 2003
Craig,
I feel your pain, but just want to comment that I have now completed
chapter 8 of my new book "Samba-3 by Example". This chapter is called,
"Migration from NT4 to Samba-3," and in it I have documented the precise
steps for migration using LDAP ldapsam, as well as using tdbsam.
It all went pretty smoothly.
The key gotcha's I found are:
1. You must configure LDAP correctly to start off, have a clean Samba
install (never started - ie: no tdb files and no secrets.tdb file).
Note: LDAP should have only the top-level entry, plus the container
entries for People and Groups.
2. You must edit smbldap_conf.pm and smb.conf correctly, then do:
smbpasswd -w 'LDAP_admin_password'
Note: Have "domain master = No"
3. You must do:
net rpc getsid -S 'NT4server_name' -W 'Domain'
-UAdministrator%'password'
4. You should then join the domain as a BDC:
net rpc join -S 'NT4server_name' -UAdministrator%'password'
5. Start Samba
6. Suck off the accounts:
net rpc vampire -S 'NT4server_name' -UAdministrator%'password'
Of course, the choke-points are getting LDAP to accept all accounts with
both the Posix and SambaSAM entries.
Here is the output from my last Vampire:
<root> # net rpc vampire -S NT4S
Fetching DOMAIN database
SAM_DELTA_DOMAIN_INFO not handled
Creating account: Administrator
Creating account: Guest
Creating account: NT4S$
Creating account: massive$
Creating account: barryf
Creating account: gdaison
Creating account: atrikhoffer
Creating account: hramsbotham
Creating account: fsellerby
Creating account: jrhapsody
Group members of Domain Admins:
Group members of Domain Users: NT4S$(primary),massive$(primary),
Group members of Domain Guests: nobody(primary),
Group members of rubberboot:
Group members of engineers:
Group members of accounting:
Group members of catalyst:
Group members of shipping:
Group members of receiving:
Group members of marketiod:
Group members of sales:
Fetching BUILTIN database
SAM_DELTA_DOMAIN_INFO not handled
The errors regarding the SAM_DELTA_DOMAIN_INFO are normal because Samba
does not know how to handle that.
NT4S is the NT4 PDC, MASSIVE is my Samba-3 BDC.
I guess this does not help you, but I did want to clear the air that
Vampire is not that big a monster - at all.
Cheers,
John T.
On Sun, 28 Dec 2003, Craig White wrote:
> On Sun, 2003-12-28 at 09:00, Michael Gasch wrote:
> > hi
> >
> > just a question to understand
> >
> > we have a NT PDC and i successfully transfered it's data to samba 3.0
> > because we're cautious i let the NT PDC "online" (domain=evan) and
> > introduced samba with the same date in a new domain (domain=testevan)
> > for testing purposes
> >
> > to get rid of conflicts i had to change the SID of the samba server,
> > because my knowledge tells me: "a sid hast to be unique in a network"
> >
> > so i changed the sid to a value different from the evan-sid
> > okay...still, everything is working fine
> >
> > but: isn't there a tool, which creates a unique sid for my new
> > (test)domain like sidchanger for NT?
> > because i can't be sure that the sid i entered for the new domain
> > "testevan" is unique
> ---
> I've been struggling with the problem of previous NT PDC and in my case,
> trying to figure out how to keep it online while I ease the transition.
> It appears to me that the 'vampire' tools is a monster, and how you deal
> with it is left to the imagination of the admin.
>
> Anyway, to answer your question...
> 'net getlocalsid' will tell your your Domain SID
> 'net setlocalsid' will allow you to change it to whatever you want but
> recognize that the accounts created by the 'net rpc vampire' will all
> have the localsid (SID) set by the value that is in your new account
> script, which in my case - was the smbldap_conf.pm YMMV.
>
> Thus, if you want the users to use your new domain's PDC, they would
> have to have the correct SID.
>
> Craig
>
>
>
--
John H Terpstra
Email: jht at samba.org
More information about the samba
mailing list